Every time there is a clamorous event cyber criminals try to take advantage of the people’s interest to run illegal activities, it is happened recently with the incident to the Air Asia Flight and is happening with the terroristic attack on the Charlie Hebdo.
You have to consider that not only ordinary people search for this kind of info, also journalists and cyber experts like me constantly monitor social media and the web to search information that could be useful for investigation of specific cases and to track profile of the attackers.
Security experts at Blue Coat have discovered that criminal criminals exploited the hashtag #JeSuisCharlie in order to spread malicious links that was distributing the popular DarkComet RAT. RAT malware like DarkComet are used by criminals and some government entities to take control of the victims’ machine.
DarkComet was created by the French hacker Jean-Pierre Lesueur, also known as DarkcoderSc, which stopped development of the RAT in 2012 because he discovered that the Syrian Government was used it to persecute dissident.
“The malware in question is the infamous DarkComet RAT (aka Fynloski), a freely available remote administration tool which also can double as a powerful backdoor trojan.”states Blue Coat in a Blog post. “The variant used in the present attack is obfuscated to make it less noticed by AV scanners. The DarkComet Delphi code is enveloped in a .NET wrapper, making the telltale signs of DarkComet hard to spot. Indeed, the AV detection rate of this executable is at the time of writing poor – only 2/53 scanners had detection on the VirusTotal online scanner service.”
The criminals exploited the popular social media Twitter to share the malicious, the hashtag became was one of the top of the Internet in the wake of the 7 January attack on the Charlie Hebdo magazine in Paris.
Social Media experts estimated that it has been tweeted million times to date, an excellent opportunity for threat actors to spread malware, including the popular DarkComet RAT.
The variant discovered by the researchers at Blue Coat drops a copy of itself with the name svchost.exe and displays the image of a new-born baby with a band carrying the name “Je suis Charlie”.
Malware authors tried to obfuscate the malicious code to evade detection mechanisms, Blue Coat reports that the sample it has analyzed are detected only by two of 53 AV used by the VirusTotalonline scanner service.
At the moment, the researchers have identified a unique Command and Control server host is a subdomain under the no-ip dynamic DNS domain, the legitimate dynamic DNS service that is often used by malware authors.
“The actual domain address is: snakes63.no-ip[.]org
This address currently resolves to an IP address located with the French service provider Orange. The French IP address and the error message in French reinforces the impression that this malware was targeted at French users, though we have no indication as to who the attackers are or what they are after. We have anyhow informed the French authorities about this malware.” state Blue Coat
Unfortunately, there is no indication of the extent of the malicious #JeSuisCharlie campaign based on DarkComet agent.
It is likely that criminals will continue to exploit social media and phishing campaign to spread DarkComet and many other malware variants, be careful in your online experience adopting the best practices that every time I suggest you.
(Security Affairs – #JeSuisCharlie, DarkComet)