Hackers working on behalf of the Syrian government are focusing on political adversaries with surveillance malware being distributed in trojanised variants of messaging applications including WhatsApp and Telegram.
“The Syrian Electronic Army” group of hackers works in support of Syrian President Bashar Al-Assad and targets groups and people that averse his regime. The group additionally has a background marked by hacking into and ruining sites – including that of the US armed force – and social media accounts, the most prominent of which saw the Twitter account of the Associated Press traded off.
Such is the reputation of the SEA that the US charged three Syrian nationals of being members of the group in 2016, with two added to the FBI’s Most Wanted List.
As of late, the group has apparently stayed under the radar, yet the SEA hasn’t stopped their operations: it has changed strategies and is presently delivering custom Android malware to adversaries of the Assad regime for surveillance purposes.
Named SilverHawk by specialists at security firm Lookout, they detailed their discoveries at the Black Hat Europe conference in London. The malware is thought to have been in activity since mid-2016 and is capable of secretly recording audio, taking photos, downloading files, monitoring contacts, tracking location and more.
“You can imagine the implications for political dissidents who might be in sensitive meetings and the enemy would love to know what they’re talking about — if their phone’s infected, they can just remotely start recording audio,” said Kristen Del Rosso, security intelligence engineer at Lookout.
The Google Android malware isn’t widely spread, recommending that the SEA is utilizing it sparingly in exceptionally targeted campaigns. The primary technique of delivering SilverHawk is by deceiving unfortunate casualties into downloading vindictive versions of messaging applications from watering hole sites or social engineering via phishing emails.
“Typically you’ll see this deployed inside trojanised secure messaging applications, secure connectivity applications and that was the case here,” said Michael Flossman, head of threat intelligence at Lookout. “The threat actors behind this really favour trojanising updates to WhatsApp, Telegram as well as a system package update.”
To help stay undetected, the malignant application doesn’t place an icon on the home screen. SilverHawk has likewise been worked to maintain a strategic distance from the quick battery depletion which can be a sure-shot indication that a malignant application has been installed on a device. The developers of the malware have built in a survival counter that gives it two attempts to connect back to its command and control servers.
“What happens is every time there’s a connection to the command and control servers that’s successful, it resets to two, then every time a connection isn’t made or the C2 server is down it drops down by one,” Del Rosso explained.
“When the device is rebooted, however, the counter is back to 2, allowing the surveillance-ware to attempt to continue its spying abilities,” she added. It also prevents repeated attempts at connection from draining the battery and arousing suspicion that something is wrong.
Examination by Lookout recommends that SilverHawk has been effective in completing its errands and staying stealthy as the malware has rarely needed to be reworked maintain a strategic distance from detection by security solutions, and when changes have been made, they were moderately minor.
While SilverHawk just targets Google Android on mobile devices, the Syrian Electronic Army is likewise known to target nonconformists utilizing Windows malware, with delivery commonly by means of phishing emails containing attachments related with military activities in the region. Regular types of malware utilized in these crusades incorporate NjRAT, H-Worm Plus and DarkComet.
In instances of both the Android and Windows campaigns the utilization of open indexes and poor operational security by the aggressors has empowered Lookout to ascribe the assaults to the SEA.