A hacking group is using an enhanced version of BlackWorm, a Remote Access Trojan (RAT), to weasel its way into organizations.
The Syrian Malware Team (a pro-Syrian government group of hackers) that has operated as far back as 2011, now primarily uses the “Dark Edition” version of BlackWorm in its campaigns, said researchers at security firm, FireEye.
FireEye also detailed an original, or private, version of BlackWorm (v0.3.0), which was “fairly simple [allowing] for very quick payload,” said researchers in a blog post.
The earlier version of the RAT supported a number of commands, including system restart and shutdown, displaying “startling” flash videos on targeted machines, downloading and running files, killing critical Windows processes, and blocking keyboard and mouse input, FireEye said.
The “Dark Edition” version, however, ends up packaged with additional features, allowing attackers to bypass user account control (UAC), disable firewalls and spread over network shares.
“Unlike its predecessor, [BlackWorm Dark Edition] allows for granular control of the features available within the RAT,” the blog post said. “These additional controls allow the RAT user to enable and disable features as needed. Binary output can also be generated in multiple formats, such as .exe, .src and .dll.”
One of the blog writers said having a RAT in the target environment pretty much gives the attackers carte blanche.
In its post, FireEye referenced IntelCrawler research linking Syrian Malware Team with hacktivist group Syrian Electronic Army (SEA). In the March report, IntelCrawler said an SEA member, going by the online alias “Hawks,” appeared to withdraw from SEA in 2012 with interest in starting the Syrian Malware Team.