Desert Falcons uses two homemade backdoors to spy on computers, the first of which looks like it was retired last June. The malware in all cases is used to install backdoors on computers that perform a variety of espionage activities including keylogging, audio recording, stealing screenshots, file upload and download, and password stealing.
At the start of this year, Kaspersky researchers discovered the latest version of the Trojan called DHS2015, also known as iRAT. The malware had evolved from its first generation, which was compiled in 2013, adding encryption to command and control communication and file storage, as well as a number of features that keep it from being detected by security mechanisms.
This version also includes evidence of attacks carried out over Android devices; researchers said they discovered mobile call and SMS logs on a command and control servers found at fpupdate[.]info.
From evidence collected, Kaspersky researchers estimate there are upwards of 30 members in the Desert Falcons gang, all of whom are native Arabic speakers. The clues come from a number of their identities that were uncovered, language properties set to Arabic, Arabic names for C&C administrators, and in the content of phishing emails, and an Arabic interface in the DHS control panel.
“The identities of some of the cyber criminals were found when inspecting the contents of one of the C&Cs which had public read permissions open for a short period of time,” researchers wrote, adding that they were also able to track and identify some of the attackers’ Facebook and Twitter accounts, private blogs and websites. “Surprisingly the attackers have published on Twitter some information about their development of the spyware and the command servers.”
No comments:
Post a Comment