Security Experts:

Trojan Targeting Syrian Activists Spreading via Skype

The EFF is warning activists in Syria to use caution when downloading documents via Skype, after a new attack blends social engineering with a malicious PDF to install a Trojan on the victim’s computer. This latest attack is just another example of such schemes, the EFF said, which started earlier this year.

According to the EFF’s blog post on the matter, Syrian activists are contacted via Skype, and encouraged to download a PDF file that purports to contain plans of assistance for the city of Aleppo.

“...opposition protest has been growing steadily since a raid on Aleppo University dormitories resulted in the deaths of four students and a temporary shutdown of the state-run school earlier this month,” the post explains.

“Like many of the attacks we have reported on, this one installs a Trojan called DarkComet RAT, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more...”

The hijacked data is then passed along to a block of Syrian IP addresses, which are the same addresses reported in previous attack by the EFF, as well as Trend Micro and Symantec.

Last week, SecurityWeek reported on the compromised version of Simurgh, a privacy tool used in Iran and Syria to bypass censorship and governmental monitoring. The compromised version is a repackaged version of the original, and has been offered on P2P networks and via web searches.

In April, there were wide reports of Syrian activists being targeted by Phishing attacks designed to compromise social networking accounts, including Facebook and YouTube. The same Trojan being used in this more recent attack was also circulated in a separate attack earlier in May; it too targeted Syrian activists.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.