Enterprises face a high-risk threat of stealth surveillance and computer hijacking during the best of times, but every once in a while a concerted attack comes along that should put the business sector on high alert. Prolexic’s Security Engineering & Research Team (PLXsert) is sounding that alarm, noting that attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit have been kicked up several notches of late.
Blackshades has been in the headlines lately for various blackmail and extortion incidents. The FBI recently announced the arrest of more than 90 individuals allegedly connected to the Blackshades RAT operation, but Prolexic data shows that the threat remains strong.
The Blackshades RAT is used for a number of nefarious purposes, including launching executables, monitoring audio and video, running webcams, capturing screens and logging keystrokes on infected machines. Thanks to this bonanza of crimeware features, Blackshades is among the most popular RATs in the criminal underground.
“Blackshades RAT is a relatively new and very powerful crimeware kit that can expose confidential information as the user works,” said Stuart Scholly, senior vice president and general manager for the Security Business Unit at Akamai, in the report. “It’s like having someone watch over the user’s shoulder without their knowledge. In addition, the malicious actor can use the infected computers to run malicious programs and even lock users out of their own files.”
Prolexic noted that the surveillance feature mimics the capabilities of legitimate software with the unfortunate advantage that its victims are unaware that they are sharing the information. Webcam and screen capture provide tangible data about the victim, and keylog data can provide access to sensitive information in real-time as it is typed.
Clearly, espionage is an ideal use for the bug.
“Malicious actors may seek to monetize the information they gain from spying on their victims with Blackshades RAT,” Prolexic said in its report. “The value of this information varies depending on the targeted victim’s reputation, level of income, place of work or membership in an organization.”
The firm said that a typical infection consists of a multi-stage attack, where the victim is tricked into downloading a file, which will subsequently download and execute the actual Blackshades payload. This means that enterprises and individuals should practice diligence while browsing the internet, reading emails and using other web-based applications prone to drive-by attacks.
Once the Blackshades RAT server payload has infected a system, it typically goes through several stages. One stage is stealth, where the RAT tries to leave the smallest footprint possible on the infected system. The next stage is establishing persistence, which allows the malware to survive system reboots. Once stealth and persistence are attained, a multitude of illegitimate capabilities become available to the malicious actor.
The large number of features combined with its ease-of-use has helped Blackshades RAT flourish among aspiring cybercriminals and even more seasoned malicious actors. It has gained the interest of major organized crime groups and government entities, as the recent law enforcement takedown demonstrates. PLXsert expects the Blackshades RAT toolkit will gain more traction and continue to be a persistent threat for motivated cybercriminals, using it to change up their tactics to avoid detection.
“In attack campaigns, malicious actors switch and apply different attack vectors and customized tools to compromise their victims’ computers and devices,” the firm said. “Stealth remote administration tools such as Blackshades RAT allow malicious actors to repurpose their botnets and require very little networking and operating systems knowledge.”