Law enforcement authorities from all over the world arrested around 100 individuals suspected of creating, distributing and using BlackShades RAT (ShadyRAT). However, experts say it’s unlikely this will end the use of BlackShades.
A total of 300 searches were conducted worldwide, 100 email and physical search warrants being executed in the United States alone. Some 1,900 command and control domains have been seized. Europol reported that more than 1,000 computers, laptops, mobile phones, external hard drives and other electronic devices were confiscated by investigators.
Michael Hogue, aka ‘xVisceral’, one of the developers of BlackShades, was arrested in the United States in June 2012. Hogue has already pleaded guilty to the charges brought against him. The recent law enforcement operation also included the unsealing of an indictment against Alex Yucel, a Swedish national previously arrested in Moldova. Yucel, who is believed to be the head of the organization that sold the malware, is awaiting extradition to the US.
Despite all these actions against BlackShades creators and users, experts say it’s unlikely that anyone will witness the end of the RAT, especially since the source code for this piece of malware has been available for more than three years and it’s not difficult for moderately skilled hackers to modify it for their purposes.
“The BlackShades arrests, which reportedly targeted over 100 hackers worldwide that were associated with the RAT, dealt a significant blow to the BlackShades criminal market, and will hopefully discourage further use,” Alex Watson, director of security research at Websense, told SecurityWeek. “However, it’s unlikely that this will end the use of BlackShades, which has survived multiple arrests over the past two years and had source code leaked to the Internet, which can be modified by hackers or used as building blocks for a new RAT.”
Watson highlights the fact that even if we are to see the end of BlackShades, there are plenty of other RATs and general purpose malware to take its place, including Xtreme RAT, Gh0st RAT and ZeuS. While BlackShades has made numerous headlines mostly due to its use in sextortion operations, the threat is actually a multipurpose tool utilized in many cybercriminal campaigns, including industrial espionage and mid-level attacks.
In fact, Websense has been monitoring a series of low-level attacks targeted at financial institutions in the Middle East and India.
“These attacks use a combination of malware, including Xtreme RAT and Zeus, indicating a more aggressive (and less sophisticated) campaign, likely with the goal of stealing credentials and financial information,” Watson explained.
The expert notes that attackers gain more flexibility around searching compromised machines and networks by combining information-stealing malware like ZeuS with such remote access Trojans. In order to protect themselves against these threats, organizations must inspect both inbound and outbound data streams because RATs function through two-way communications.
“It’s a challenge that organizations face with the increased use of RATs such as BlackShades for both targeted and non-targeted attacks,” Watson said. “The end result being that it becomes more difficult to understand the business impact or risk associated with an incident ─ for example, whether an attack is a targeted specifically at an organization and attempting to steal intellectual property or sensitive information- which would be very high risk for the organization, or if is simply part of a widespread and non-targeted campaign designed to steal credentials from many organizations.”