Skip to main content

Kaspersky Lab would like to alert users in the Middle East and Turkey to the threat of malware delivered through politically-oriented news or social networking forums. The attackers rely heavily on social engineering to exploit users’ trust in the forums they frequent, their curiosity about news relating to the conflict in Syria and their lack of cyber-security awareness. Once the cybercriminals infect the computer, the attackers have full access and control over the victim’s devices and files. The most frequently-targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. There are thought to be around 2,000 victims.

Kaspersky Lab previously reported on so-called Syrian malware, describing many tricks being used in Syria and the region to spy on users. The company also warned about attacks from different teams and many sources. This latest alert refers to malware files found on activist sites and social networking forums, some of which were reported by regional organizations like CyberArabs. All the files hide under the hood a full-featured variant of a Remote Administration Trojan (RAT) Trojan, capable of seizing full control of a victim’s machine and devices, monitoring any activities and accessing all files.

Malware writers are using multiple techniques to deliver their malicious files and trick victims into running them. Having analyzed hundreds of samples relating to Syrian malware, Kaspersky Lab experts would like to draw special attention to the following examples of social engineering that are used by cybercriminals:

  1. Clean your Skype! (malware is installed when promising users to deliver a cleaner to "protect and encrypt Skype communications")
  2. Let us fix your SSL vulnerability (“to protect and fix SSL weaknesses”)
  3. Did you update to the latest VPN version? (Psiphon, a legitimate application used around the world for anonymity protection, is named, but malware is actually delivered)
  4. Let’s Check if your phone number is among the monitored numbers
  5. The Facebook account encryption application
  6. What's your favorite security product? (Kaspersky Lab’s name is used by cybercriminals in an attempt to lure victims to open and trust the files they are delivering. The powerful free Kaspersky TDSSKiller tool for detecting and removing rootkits is delivered by cybercriminals though their channels bound with their malware. Rootkits are programs that hide the presence of malware in the system; as RAT is not a rootkit it is not identified by this tool).

 

The thejoe.publicvm.com domain has connections with many samples, and is probably the most active recently: it probably collected the highest number of victims, estimated in thousands, targeted and non-targeted. Along with some of the above mentioned examples, the Joe is using a fake Youtube channel where he is posting new social engineering videos and distributing malware files under the name “Lions of the revolution”.

Kaspersky Lab experts expect these attacks to continue and evolve both in quality and quantity. So-called Syrian malware has a strong reliance on social engineering and active development of malicious variants. Nevertheless, most of the files quickly reveal their true nature when inspected carefully. Users in the region should be extra vigilant about what they download and protect themselves with a comprehensive security solution such as Kaspersky Endpoint Security for Business and Kaspersky Internet Security multi-device. Users should also make sure they only download software from trusted sources and official websites.

For more information you can read this Securelist.com blogpost.

Malwares Masked Under Social Media Targeting the Region

Kaspersky Lab would like to alert users in the Middle East and Turkey to the threat of malware delivered through politically-oriented news or social networking forums.
Kaspersky Logo