Malware Purveyors Use Syrian Internal Conflict, Reports Symantec

According to the researchers from Symantec the security company, cyber-criminals are continuously capitalizing on the aggression inside the Middle Eastern country of Syria, as they launch their malware campaigns.

One particular onslaught that aims at government agencies, oil companies and hotels involve fraudulent e-mails as alleged communications from Sheikh Adnan Mohammed al-Aroor who's regarded as the chief person representing the anti-government pressure group inside Syria.

Symantec's researchers describe the fake electronic mails as containing an attachment with a zipped archive, which consists of one .Ink condensed file.

If executed, this file drops another named 1.exe on the infected computer that crafts more files while further opens registry entries towards making sure it'll get executed whenever the PC boots up. It as well creates a duplicate on a temporary file group while getting freshly named to the svchost.exe process.

Identified as a malware installer, .Ink is linked to MSHTA.exe, which is a Microsoft HTML Application Host document situated inside System32. The .Ink has its object transferred, a contention, which indicates one HTML file as harbored within a malevolent site, informs Symantec.

Additionally according to Symantec, the HTML document consists of an Auto script in Visual Basic language along with one implanted executable.

Anytime a victim views the file having the Sheikh's message, behind the screen, a RAT namely Xtreme starts operating. The screen is hazy such that the campaign appears genuine, while in reality the Xtreme RAT infects the user. Symantec has identified this RAT as W32.Extrat.

The company explains that the Xtreme RAT, as the abbreviation suggests, is one kind of Remote Administration Tool with which any remote computer-operator can intercept keystrokes followed with capturing data from the hijacked PC. Within the incident in question, experts noted that the outgoing traffic linked up with tn5.linkpc.net via port 82.

Meanwhile, in a similar malware campaign that leveraged the Syrian aggression, cyber-criminals during August 2012, allegedly attacked the Electronic Frontier Foundation watchdog group; journalists; activists; and opposition members in Syria with malware to monitor the victims' operations. The malware, known as AntiHacker, craftily planted spyware, which disguised as safeguarding PCs off remote assaults or data-hacks.

Related article: Malware has lesser proximity to your inbox now!

» SPAMfighter News - 1/15/2013