Last week, it was announced that one of the creators of BlackShades NET Remote Access Trojan was arrested along with 23 others in an international assault against cybercrime. As you recall from previous blogs posted on Unpacked, we have given you, the reader, an in-depth look into what kind of dangers are presented by the capabilities of this malware. We have also discussed a very serious situation concerning the use of this tool in political conflicts in Syria and consequently the dawning of the age of malware being used in warfare.
The operation which made the arrest was headed up by the Federal Bureau of Investigation over the course of 2 years in 13 countries. The FBI was able to essentially “scam the scammers” by setting up a forum to sell credit card numbers and software. The forum was designed and run in a fashion that not only appeared legitimate to the criminals but would also allow the FBI to have full observation of every post or private message sent on the forum. In addition to the forum, numerous undercover FBI agents would meet in person with some of the criminals to conduct business. The forum itself was, in essence, a honeypot for cybercrime activities.
One of the creators of BlackShades, 21 year old Michael Hogue a/k/a xVisceral, was arrested for not only credit card cybercrime but also for the advertising and selling of malware, namely the RAT BlackShades. An interesting note is that xVisceral had announced his retirement from cybercrime in August of last year; however he returned shortly after and has been seen on numerous cybercrime forums, offering tech support to BlackShades users.
To offer a brief background, BlackShades NET is a Remote Access Trojan which allows an attacker the ability to view a victims webcam, log their key strokes, steal their files, further infect a system with subsequent malware, hold the infected system for ransom and a slew of other functionality. It has multiple methods of unique concealment, used to hide from antivirus engines by employing the use of custom “Crypters” which obfuscates the implant binary. It was most recently seen in the media as one of the tools used against Syrian political activists. For more information on BlackShades and the Syrian conflict, check out my previous posts:
The FBI has done a fantastic job of rounding up these cybercriminals, however they are but a fraction of the cybercrime population and while important as part of the whole, they were probably the sloppiest. The majority of the arrested criminals were between 19 and 21 with the youngest being 18 and the oldest being 25. They were all young men who lived dangerous lifestyles without perhaps as much prudence as older cyber criminals. Imagine organized crime throughout history, younger and less experienced criminals were usually the only ones who were captured by law enforcement, while the older and more experienced high ranking criminals hid in the shadows and were never seen. I assure you that the true faces of ‘serious’ cybercrime will never be seen by law enforcement or the media.
The end of DarkComet?
DarkComet is a Remote Access Tool/Trojan which was originally developed as an educational tool for computer security enthusiasts and network administrators. However, it is commonly used by cybercriminals to steal personal information, spy on unsuspecting victims via their webcam and a long list of other malicious things. This also includes being used to fight wars as was seen during the most recent attacks against Syrian Activists. I wrote a blog post not too long ago which described the capability and functionality of DarkComet and how to protect yourself from it, check it out for more information on what DarkComet can do:
After 4 years of development, DarkComet is apparently no more. The author of DarkComet, Jean-Pierre Lesueur a/k/a DarkCoderSC, announced that he will no longer develop or distribute DarkComet. He mentions that he does not want to be associated with any illegal activity and had never intended for his software to be used in malicious ways. He also said that he will still continue to be a part of the Computer Security community and will continue to develop free tools which will not be associated with malware. To read his official statement, check out:
Will this be the end of BlackShades? The answer is no. Here is why:
- xVisceral was only a co-creator, therefore other members of the group who develop, improve and sell the BlackShades RAT will continue to operate business as usual.
- In 2010 the source code for an earlier version of BlackShades was released onto the internet, which by now has most likely been converted into different variants and maybe even completely different tools, which can take the name BlackShades but are distributed by an entirely different network of cyber criminals.
- The arrest of xVisceral will not scare off other would-be cybercriminals, if anything it may only prove to cause less experienced criminals to be more prudent and secure in their operations, making them harder to find than before.
- As for DarkComet, while it is no longer supported by DarkCoderSC, it is still out there and will most likely begin to be distributed throughout the cybercrime scene if it hasn’t already. New tools to obfuscate the RAT implant files will be integrated into a system of creating new implant binaries to be used against victims.
To sum it up, BlackShades will continue to be around for a long time, whether it be in the form that it is currently seen or as a new variant and version. If the day comes when BlackShades falls to the wayside, other RATs which are currently available and being developed will take its place in the cybercrime arena.
Security Tip: As of now, Malwarebytes Anti-Malware has a fantastic track record of being able to detect and remove BlackShades implants before anyone else. To keep yourself safe, always keep your Anti-Malware definitions up to date and follow common security practices.
For more information on the FBI arrests check out: