Malware targeted at Syrian activists can operate webcam, disable AV, keylog, steal passwords

A fake PDF purporting to contain information on "the formation of the leadership council of the Syrian revolution" is circulating. As the Electronic Frontier Foundation's Eva Galperin and Morgan Marquis-Boire report, it's bad news for people who install it.

The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

Campaign Targeting Syrian Activists Escalates with New Surveillance Malware


    1.  Thankfully, changing that option is the first step in a zillion how-tos of almost any kind relating to files…

      A small part of me feels like anyone who doesn’t know what a file extension is in 2012 is pretty much digital cannon fodder anyway…

  1. Pro-Tip: If Windows says something with a PDF icon is a screen saver then it prolly isn’t a PDF.

    And yeah, windows should stop hiding file extensions by default. Not that I think it would make much difference…

  2. I agree about the stupidity of not seeing extensions given Windows uses that information for its behavior. But in most Explorer views, you can still see this is a screen saver, not a data file, and screen savers are frequent vectors of malware.  What people need to know are the types of files Windows treats as programs besides the common .exe.

Comments are closed.