X

Syrian dissidents besieged by malware attacks

Under the guise of protecting users' computers from cyberattacks, AntiHacker instead infects computers with spyware. And its main target: Syrian activists.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
See full bio
Dara Kerr
2 min read
What AntiHacker looks like when it is being installed on a computer. Electronic Frontier Foundation

As the Syrian civil war continues to escalate, pro-government forces are allegedly carrying out a cyberwar against local dissidents.

Syrian activists, journalists, and government opposition groups are under a barrage of targeted malware attacks, according to the watchdog group Electronic Frontier Foundation. What this malware does is deceptively install surveillance software into a computer under the guise of protecting the computer from viruses. Its name is AntiHacker.

Once the malware is installed in the computer, with promises to "Auto-Protect & Auto-Detect & Security & Quick scan and analysing [sic]," it actually begins to spy on the user. Using a remote access tool called DarkComet RAT the attacker can watch the user's every move with a Webcam, while also disabling any antivirus programs, stealing passwords, deleting data, and more. Once the user has run the program a pop-up appears that says, "You PC is Protect now thank for using our Product [sic]."

AntiHacker has various ways of reaching out to users, including a Facebook group used to lure in potential targets, according to EFF.

"Syrian Internet users should be especially careful about downloading applications from unfamiliar websites," EFF's international freedom of expression coordinator Eva Galperin wrote in a statement today. "The AntiHacker website showed many signs of being illegitimate, including prolific abuse of English spelling and grammar."

This is not the first time that Syrian activists have come under cyberthreat. In May, a Trojan targeted dissidents in both Syria and Iran tracking users that attempted to evade government censorship. This Trojan carried a payload of malware that captured usernames, IP addresses, and hostnames of users; it also recorded any keystrokes entered.

The version of DarkComet that AntiHacker is running is not yet detectable by any antivirus software, according to EFF. However, users can use the DarkComet RAT removal tool to determine whether their computers are infected and then remove the malware.