Blackshades RAT Highlights from a State of the Internet Threat Advisory
akamai.com
= what is blackshades?
• Blackshades RAT is a Remote Access Tool – an exceptionally powerful cybercrime threat • RATs (Also known as Remote Administration Trojans) are surveillance tools that can extract sensitive information • Blackshades has already been used for blackmail and extortion against famous personalities • Blackshades has an enormous variety of features – making it extremely popular for cybercrime
2 / [state of the internet] / threat advisory
= about blackshades
• Blackshades surfaced on the Internet in 2010 • One of the most popular RATs in the criminal underground • The creators were recently arrested by the FBI, along with 90 other people involved in its distribution • Several attacks, including the blackmail and extortion of Miss Teen USA and use by government entities, received media attention
3 / [state of the internet] / threat advisory
= stealth techniques
• Blackshades is extremely hard to detect, and requires expertise to remove. ⁄
File cloning allows the Blackshades payload to appear identical to a legitimate file
⁄ ⁄
Can detect the presence of a debugger Contains anti-kill feature that can shut down or even crash the computer if the user attempts to terminate the payload process
⁄
FUD (Fully Undetectable) crypters allow the payload to bypass antivirus programs
4 / [state of the internet] / threat advisory
= what can blackshades do? • Surveillance ⁄ ⁄
Keylogging monitors for passwords and credentials Webcam access allows for real-world monitoring of victim
⁄ ⁄
Screen view (similar to commercial products such as TeamViewer) Live Logger provides additional context data
5 / [state of the internet] / threat advisory
= what can blackshades do? • Remote Administration Capabilities ⁄
⁄
⁄
Blackshades provides malicious actors with all the same information as if they had access to the physical machine Provides operating system administration utilities such as registry access and process enumeration Attacker can remotely download and run executables on infected machine – including additional malware or DDoS toolkits
6 / [state of the internet] / threat advisory
= what can blackshades do?
• Additional features ⁄
Can take control of the mouse, either for annoyance purposes (erratic mouse movement) or monetary purposes (forcing user to click on ads)
⁄
File hijacker is ransomware – encrypt victim’s files and prompt user to pay for the decryption key
7 / [state of the internet] / threat advisory
= mitigation tips
• Download the Blackshades RAT threat advisory for indicators of infection and a YARA rule • Due to the high degree of stealth in the payload and infection techniques, practice diligence when browsing the Internet, reading emails, and using other Web-based applications prone to attacks • Review the FBI advisory to learn about other potential signs of infection
8 / [state of the internet] / threat advisory
= threat advisory: blackshades RAT • Download the threat advisory at www.stateoftheinternet.com/blackshades • This DDoS threat advisory includes: ⁄ ⁄
Recent history of remote access tools Example payloads and payload builder analysis
⁄ ⁄
Analysis of infection and persistence process Detailed overview of remote access and surveillance capability
⁄ ⁄
Indicators of infection Mitigation advice, including YARA rule
9 / [state of the internet] / threat advisory
= about stateoftheinternet.com • StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape. 10 / [state of the internet] / threat advisory