Research

The Syrian malware part 2: Who is The Joe?

Introduction

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums. Malware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering, the attackers exploit Victims’ trust in social networking forums, curiosity in following news related to the conflict in Syria, their standing in Syria, in addition to their lack of Cyber Security awareness. Once criminals infect the victim’s computer, attackers have full access and control over victim’s devices.

In the first report on Syrian malware, Kaspersky Lab detailed many attacks being used in Syria to spy on users, the report included attacks from different teams and many sources.

This post will follow up on one of the domains, seemingly the most active in the last period: thejoe.publicvm.com

The malware files were found on activist sites and social networking forums, some others were reported by regional organisations like CyberArabs.

Reports that mention “the Joe”
https://citizenlab.org/2013/06/a-call-to-harm/
https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf

All the files hide under the hood a full-featured variant of a RAT, Remote Administration Trojan (Bitfrose/NjRAT/Shadowtech/Darkcomet…), capable of getting full control over victim machines and devices, monitoring any movements and accessing all files. The thejoe.publicvm.com domain is related to many samples, here we will focus on the most important and luring, that most probably collected the highest number of targeted victims, estimated in thousands.

There are many factors and entities at play in this event, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research.

What is the information we had on theJoe?
What has the Joe been doing in the last period?
Who is the Joe?

What is the information we had on the Joe?

The Joe is one of the most active cyber criminals in Syria and the Middle East, targeting all types of users, following is the information collected on the Joe and his activities.

Domain information “thejoe.publicvm.com”

The Joe is using a dynamic domain to be able to change his IP address and maintain anonymity:
The domain thejoe.publicvm.com has been seen using the following IP addresses located in Syria and Russia:

  • 31.9.48.146
  • 31.9.48.119
  • 31.9.48.146
  • 31.9.48.80
  • 31.9.48.78
  • 31.9.48.119
  • 31.8.48.7

TCP ports used in the attacks: 1234, 1177, 5522.

Malware information

From the malware samples collected, we were able to find strings in the code, from the Windows device used by the Joe.

Folder paths recovered from the malware files:

  • C:UsersjoeDesktop2014WindowsApplication1WindowsApplication1objDebugWindowsApplication1.pdb
  • C:UsersjoeDesktopDesktopSyriatelSyriatelobjDebugSyriatel.pdb
  • C:UsersjoeDesktopNJServerNJServerobjDebugNJServer.pdb

Youtube Channel

The Joe is also using a fake youtube channel where he posts social engineering videos with links to download malware.

http://www.youtube.com/channel/UCCdoQBw-a6dM15ZyhrsqW_w

The Channel is distributing malware files under the name “Lions of the revolution” or other…

What has the Joe been doing in the last period?

The Joe was busy in the last period; In the below we display some of the most graphical and luring samples collected by the Kaspersky Intelligence services and the Kaspersky Security Network (KSN cloud), detailing their functionalities and how The Joe is able to use the situation in Syria to have the users automatically open the files even if they suspect infected. The most targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. The number of victims is estimated around 2000.

6 new stories:

  1. Let us fix your SSL vulnerability
  2. Now Let us clean your Skype!
  3. Did you update to the latest VPN version?
  4. Let’s Check if your phone number is among the monitored numbers
  5. The Facebook account encryption application
  6. What’s your favourite security product?

Joe_1

1 – Let us fix your SSL vulnerability

MD5 Hash: dc6166005db7487c9a8b32d938fec846
Filename: TheSSL.exe, SSL Cleaner.rar

Following up on the vulnerabilities in the OPENSSL, and the amount of news it reached, the cyber criminals are trying to benefit of the user perception of such news but lack of awareness on how the vulnerabilities could be fixed.

Joe_2

Demonstration video on the Heartbleed vulnerability + Link to download the “Fix” with infection

Joe_3
Joe_4
Joe_5

2 – Now Let us clean your Skype!

MD5 Hash: d6ab8ca6406fefe29e91c0604c812ff9
File Name: Skype.exe

Another social engineering trick used to lure criminals to download and execute a malicious file, the skype cleaner to “protect and encrypt your skype communications”.

Joe_6
Joe_7

3 – Did you update to the latest VPN version?

MD5 Hash: 2e07e8622b4e997f6543fc0497452dad
File Name: VPN.exe

Psiphon, a legitimate application used around the world for anonymity protection, is particularly effective and used in Syria for users to protect their traffic from snooping or interception, the application here is bound with malware and delivered to the users as an updated version.

Joe_8
Joe_9

4 – Let’s Check if your phone number is among the monitored numbers

MD5 Hash: ad9a18e1db0b43cb38da786eb3bf7c00
File Name: Syriatel.exe

Another one of the popular malware files, is used to fake a tool that is used to check the mobile phone numbers under surveillance and sorted by location, delivered as a “leaked program” to the victims.

Joe_10
Joe_11
Joe_12

5 – The Facebook account encryption application

MD5 Hash: efdaa73e0ac1b045d5f2214cadd77f09
File Name: Rooms.exe

Joe_13
Joe_14

6 – What’s your favourite security product?

One of the latest files used to infect users is quite different: a binding of a Kaspersky Lab tool with malware. Developed by Kaspersky Lab, TDSSKiller is a powerful free tool that can detect and remove a specific list of rootkit malware families.

Bound with malware, the Joe is using the Kaspersky name to deliver the malware in an attempt to lure victims to open and trust the files he is sending.

KL tool

 Who is “The Joe”

Hundreds of samples were analyzed relating to the Syrian malware, one of the samples, extracts to multiple documents, in one of which, we were able to find a metadata slip which extracted to some interesting information.

The metadata slip by the guy using “Joe” as his nickname, revealed his personal email, which using further research leads to his other emails, full identity, social pages…

Joe_15

On Facebook:

Joe_16

On Linkedin:

Joe_18

Indicators of compromise

MD5 Hash Name(s) used for the malware file First Seen
f62cfd2484ff8c5b1a4751366e914613 Adobe.exe
Reader.exe
Card.exe
Sept 2013
012f25d09fd53aeeddc11c23902770a7
89e6ae33b170ee712b47449bbbd84784
قائمة الأرهاب .zip (“list of terrorism”) file extracts to .JPG and malicious .SCR files Jan 2014
dc6166005db7487c9a8b32d938fec846
62023eb959a79bbdecd5aa167b51541f
TheSSL.exe (to “remove SSL weaknesses”)
SSL Cleaner.rar
April 2014
cc694b1f8f0cd901f65856e419233044 Desktop.exe
Empty.exe
Host.exe
Mar 2014
d6ab8ca6406fefe29e91c0604c812ff9 Skype.exe
Skypecleaner.exe
July 2014
2e07e8622b4e997f6543fc0497452dad VPN.exe Sept 2014
efdaa73e0ac1b045d5f2214cadd77f09 Rooms.exe (to “encrypt your Facebook”) Nov 2014
39d0d7e6880652e58b2d4d6e50ca084c Photo.exe Nov 2014
abf3cfecd2e194961fc97dac34f57b24 Ram.exe
Setup.exe
Nov 2014
a238f8ab946516b6153816c5fb4307be tdskiler.exe (to “remove malware”) Jan 2015
6379afd35285e16df4cb81803fde382c Locker.exe (to “encrypt/decrypt” files) Jan 2015

Kaspersky Lab detects all malicious files used in the attacks.
All files are actively being used by the cybercriminals at the time of this report.

Conclusion

Syrian malware has a strong reliance on social engineering and the active development of malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be extra vigilant about what they download and to implement a layered defense approach. We expect these attacks to evolve both in quality and quantity.

For more details, please contact: intelligence@kaspersky.com

The Syrian malware part 2: Who is The Joe?

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox