BlackShades Remote Access Trojan

Blackshades is a well-written Remote Access Trojan that comes complete with a setup anduser guide. These documents—provided at purchase—are better written than some commercial software guides. The tool set itself has been around for many years; I first started playing with it back in 2010 when I found it on a network and analyzed the root infection. This tool, in my opinion, is built for espionage and the collection of intellectual property. It has many different modules including DDOS, URL Redirection, Keylogging, Sniffing Network Traffic and Webcam management. The malware to enable functionality is usually delivered through a phishing email that takes advantage of a zero-day exploit build for a discovered desktop software vulnerability. It’s been a successful technique that has been used against many organizations to install this particular piece of malware. The network manager that you see below allows an attacker to interfere with the infected workstations network settings and execute various internet-related functions.

One of the most interesting parts of the tool is the surveillance components. These functions allow an attacker to capture audio, keystrokes, screenshots and webcam footage, so if you have an infected laptop, you could be losing intellectual property or customer data. With the audio capture you can record any conversation taking place near the infected laptop. Collecting keystrokes will allow you further access by collecting usernames and passwords related to any environment you access through the workstation. 

There are also several other tools included in this software package. It comes with a fun manager that allows you to “mess” with the user by modifying characteristics of the workstation. It also has a spreading, hijacker and infector that is part of this module.

Another interesting component of this tool is the spreader. Using this tool you can have the malware spread from the infected computer to other users by instant message through a server, USB or messaging through something like MSN or AIM/ICQ. This makes tracking this infection difficult, since it morphs with every infected workstation based on the unique mac address of the particular piece of hardware.

This tool really demonstrates the attackers’ understanding of standard incident response techniques, and they did their homework on organizations before attack. In order for businesses to defend themselves, they really need to implement the defense-in-depth strategy to protect their environments. To detect the Blackshades attack vector you need to have, at a minimum, IDS, anomaly behavior by net flow, deep packet forensics, antivirus, web filtration and solid log management. To make all the technologies effective you need to insure that they are being monitored and managed with the latest content. Monitoring and escalation is key to detecting and minimizing the impact that Blackshades might have on your environment.