Threat Database Trojans BlackShades

BlackShades

By JubileeX in Trojans

Threat Scorecard

Ranking: 12,075
Threat Level: 60 % (Medium)
Infected Computers: 327
First Seen: June 25, 2012
Last Seen: September 11, 2023
OS(es) Affected: Windows

There's a Trojan infection that is being used in the Syrian government's suppression of its country's political dissidents. This Trojan, known as BlackShades, is a Remote Access Tool (RAT) that allows the attacker command the infected PC from a remote location. In recent attacks, the BlackShades Trojan has deployed against anti-regime activists in Syria in the ongoing conflict in this country. BlackShades, much like the recent DarkComet attacks on Syrian rebels, spreads via Skype. In this case, BlackShades will be disguised as a PIF file supposedly containing a relevant video. However, once it is installed, the people behind the BlackShades can use it to install malware on the victim's computer, steal data, log all activity on it, and even control it from afar.

The BlackShades Trojan Has a Long History

The BlackShades Trojan currently being used in Syria may be derived from the original BlackShades virus, created by an unknown author in China. This virus was first seen in February of 2003 as a Visual Basic virus with ASPack compression. One of the first RATs used for malicious purposes, the original BlackShades infection would enter a computer system via a malicious email attachment or via a network worm. Then, once installed, the BlackShades virus would be used to pull pranks and perform vandalism. Unfortunately, later versions of the BlackShades Trojan, such as the one being used in Syria today, have been adapted in order to cause serious damage and severely compromise the victim's security.

Skype has been a vital tool for Syrian rebels, allowing them to communicate without having to resort to government-controlled networks. Because of this, it seems that pro-government hackers have started to target Syrian activists by distributing fake security add-ons for Skype (in the case of the DarkComet RAT) or distributing malicious attachments as is the case with BlackShades. Attacks from the same organization behind the recent BlackShades infection include a recent attack with a YouTube phishing site that was designed to lure Syrian activists into disclosing their YouTube account information and the distribution of a spy Trojan as a fake update for Adobe Flash. ESG malware researchers strongly advise political dissidents and activists to use encryption, strong anti-malware software from a reputable source, and extra care when downloading data or visiting unknown websites. These kinds of state-sponsored attacks against political dissidents all over the world (including Tibet, Syria, and Iran) continue to grow in sophistication and pervasiveness.

BlackShades Malware Gained Its Fame Due to Syria Civil War

BlackShades is also a Remote Administration Tool (RAT) type of malware that hijacks computers running Windows operating systems and puts them completely under foreign control. BlackShades earned its popularity in 2012 during the civil war in Syria when the Syrian government added BlackShades to its arsenal of weapons in the fight against the Free Syrian Army of rebels which opposed the President Bashar al-Assad. Back then, the attacks were conducted over Skype through compromised accounts whereby soldiers from the rebel army were sent messages containing BlackShades disguised as a PDF file. Once the rebels downloaded the compromised file, the RAT started spreading in a domino effect, infecting all systems it could possibly reach and taking them completely under the control of the Syrian government.

Apart from the attacks in Syria, BlackShades RAT downloads on victims' computers through malicious webpages, external storage devices, or as a drive-by download to other programs.

RATs allow attackers to control an infected PC from a remote location, therefore BlackShades is a very dangerous and powerful tool. It has also been reported that it has all the functionalities of another similar malware threat named DarkComet. Created in 2010 by a young hacker with a computer gaming background and his business partner, BlackShades evolved within just a couple of years from a simple DDoS weapon to a powerful remote administration program that can easily enslave thousands of computers. According to the FBI, BlackShades infected over half a million computers and generated $350,000 in sales during its most active years. That has happened due to the fact that it is a cheap, accessible, and fully functional tool that, at the same time, can be operated by hackers of all skill levels starting from amateurs and going up to large cybercriminal organization.

BlackShades Successors Are Still on the Market

BlackShades' developers claimed that the program is a legal IT surveillance program that has the purpose of helping people to spy on their children, spouses, or their own computer. Potential clients could purchase the program from the developers' official website at a price of $40. However, BlackShades was also sold at the same price on the infamous cybercrime community called HackForums before its creators Michael Hogue and Alex Yucel were arrested in 2012 and 2013, respectively. A year later, another 90 BlackShades users were arrested, and after that, RAT attacks fell to a third of what they used to be.

As the downfall was followed but another uprise, we cannot assume that the malware has become inactive. Moreover, similar threats, probably successors of BlackShades, have emerged in more recent years. In 2015, a person named Stefan Rigo was found guilty for using BlackShades against 14 people, 7 of whom he knew personally. In April 2019, a website focused on cybercrime published some information implying that at least one of the creators of BlackShades is still in the game. Extensive online research reveals that a new RAT very similar to BlackShades has been advertised on underground hacking forums since the middle of 2017. Behind WebMonitor stands a Swedish company named RevCode, while certain records indicate that the owner of this company is Axel Yucel - one of the people who used to run BlackShades and who was released from prison in 2016. Just like BlackShades, WebMonitor's creators claim their product is a legal IT surveillance tool, yet the software is classified as malware by most reputable antivirus companies. There is another RAT named Luminosity that seems closely related to BlackShades, however, any link to the creators of BlackShades has not been reported yet.

BlackShades RAT Has a Broad Spectrum of Malicious Functionalities

Given the broad range of malicious functionalities that BlackShades RAT has, it can by no means be assumed that it is safe to download and install it on your computer. The malware can log user activity on the infected PC, steal data, switch on silently the webcam, install and uninstall additional programs, log keystrokes, control the MSN Messenger, redirect or block URLs, and much more. However, this RAT can be customized to fulfill not only surveillance tasks.

BlackShades has the ability to create a ransomware situation on the attacked system - it can be configured by its operators to hijack files through a simple encryption algorithm and demand a ransom in exchange for a decryption key. The owners of BlackShades can use the RAT's configuration interface to customize the target path of files to be encrypted, the timing, the extension that should be added to the locked files, the ransom note, as well as the encryption key. Of course, the company behind BlackShades drops all liability related to this feature and transfers it to the buyers of the tool by forcing them to confirm that they take all responsibility for the results of their actions.

BlackShades can also act as a Facebook Controller - a feature through which the attackers can post on the victim's Facebook wall. This function is available as long as the victim is properly logged into their Facebook account. Furthermore, BlackShades can spread malware infections through USB devices. For that purpose, the RAT puts a copy of the infection executable on any USB drive currently connected to the PC and then creates an autorun script. When that USB is plugged into another computer, one that has not disabled the Autorun feature, the malicious binary will execute the malware. An additional capability of BlackShades is to send an IM with a malicious link to all victim's contacts.

BlackShades can also exploit the functionalities of P2P torrent websites to spread itself. In this case, attackers can use P2P clients like BitTorrent, LimeWire, uTorrent, or Azerus/Vuze to download a BlackShades binary and store, or "seed" it, on the victim's computer. Other torrent users can then be tricked into downloading the RAT if it is disguised as some pirated music, software, or movie. Another functionality that BlackShades developers have included in the RAT's interface is a Bot marketplace. Here, users of BlackShades can buy and sell bots to other users of the RAT, expanding thus the malware's network. Also, BlackShades interface allows the operators to initiate multiple types of DDoS attacks.

All these dangerous functionalities mentioned so far imply that BlackShades is not simply a system administration tool for personal use - its capabilities elevate it to the level of a cybercrime organization with a vast reach and huge damage potential.

File System Details

BlackShades may create the following file(s):
# File Name Detections
1. %CurrentFolder%\[THREAT FILE NAME].exe
2. %System%\winlogin.exe
3. %UserProfile%\Application Data\data.dat
4. %UserProfile%\Application Data\EZSpammer.exe
5. %UserProfile%\Templates\VSCover.exe
6. %Temp%\D3D8THK.exe
7. %Temp%\Application Data\data.dat
8. %Temp%\local3.exe
9. %SYSTEM_DRIVE%\Programs\4.8\client.exe

Related Posts

Trending

Most Viewed

Loading...