New fear: ISIS killers use 'digital AK-47' malware to hunt victims

New code built in-house targets innocents fending off deranged terrorists

Malware has emerged from war-torn Syria targeting those protesting the rule of ISIS (ISIL, Islamic State, whatever the murderous humanity-hating fanatics are calling themselves these days.)

The trivial Windows spyware, analyzed by University of Toronto internet watchdog Citizen Lab, was sent out in a small number of emails aimed squarely at members of the group Raqqah is being Slaughtered Silently (RSS) – which is holed up deep in ISIS-controlled territory and campaigning against the medieval terror bastards.

The booby-trapped emails purport to come from a Canadian expat group that wants to help the fight against ISIS. The messages ask the recipients to check over a report about the actions of the religious fanatics. Clicking on the URL leads to a file-sharing account with TempSend, and downloads an archive called

While the zipped folder does contain a few maps, it also holds some simple but dangerous spyware called AdobeR1.exe: when run, it emails the infected system's public IP address to its masters. There's no backdoor or other sort of remote access – the computer simply emails out its network address whenever it boots up.

Just getting the IP address may not sound like much, but it could be useful information in the hands of a determined killer, and may narrow down the location of a target, if not pinpoint it using geolocation.

Syria's internet access is so fractured and scarce that mapping IP addresses to particular locations isn't impossible: imagine a person regularly using a cafe for web access; if ISIS can map the cafe's network address to its physical location, it will know exactly where that person is when he or she switches on their laptop.

(This is assuming the target hasn't heard of Tor or VPNs. Of course, if the IP address leads to the wrong place, kicking down a door and slaughtering everyone inside is just a Monday morning jolly for ISIS, anyway.)

In areas of the bloodstained country still run by the Assad regime, internet access is provided by the state telco, which of course has its own IP address block. So a machine running the spyware with a network address in that range could well be within those Assad-held sectors.

In the north of the country, largely controlled by the Free Syrian Army and Kurdish forces, internet access is almost exclusively provided via commercial satellite internet, which again has its own IP range.

And someone with the right skills could use the leaked public IP addresses to prod a victim's machine for software vulnerabilities to exploit, leading to a full system compromise and, ultimately, death.

'It definitely looks like it has been developed internally'

This malware is pretty basic and buggy, we're told. Citizen Lab senior security analyst Seth Hardy told The Register that the code only sends out the initial IP discovered, and doesn't update itself, which the analysis team think is down to bad coding. The emails it sends out also don’t use any encryption.

On the balance of probabilities, Citizen Lab thinks it's highly likely the malware involved has been developed by ISIS. The Syrian government has its own spyware that installs a backdoor and opens link back to government agents so they can remotely control the infected PC.

The other possibility is that the code has been purchased from one of many unscrupulous outfits that sell malware to the highest bidder, often quite legally. But the new sample doesn't look like it came from one of these cyber-merchants.

"It's not even close to commercial samples," Hardy said. "It definitely looks like it has been developed internally."

The spyware has now been fingerprinted and the signatures published for antivirus products to use, so hopefully security software companies will be able to block further infections. But Hardy said it would be "trivial" to tweak the code to evade detection again.

It's possible the code is the work of British hacker Junaid Hussain, who was sentenced to a six-month stretch behind bars in 2012 for infiltrating the email account of an aide to Tony Blair, and flooding the UK's national anti-terrorism hotline with spoof calls.

Hussain has since skipped bail and fled Blighty. According to various tweets he is now operating in ISIS-controlled territory and may be using his computer skills to create malware, as he did in his earlier hacking attacks.

"We can't say for certain where this malware came from, but based on what we're seeing in the Lab the entry costs and expertise needed for these kinds of attacks is falling drastically" John Scott-Railton, coauthor of the Citizen Lab study, told The Register.

"Malware like this is becoming the digital equivalent of the AK-47; it's cheap, easy to use, and can be very dangerous when it's used by militant groups looking to find their enemies." ®

Similar topics

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading

Biting the hand that feeds IT © 1998–2022