Blackshades RAT: A Dangerous, Powerful Crimeware Kit Submission File Approved

akamai.com

Blackshades RAT Highlights from a State of the Internet Threat Advisory

= what is blackshades?

•  Blackshades RAT is a Remote Access Tool – an

exceptionally powerful cybercrime threat

•  RATs (Also known as Remote Administration Trojans) are

surveillance tools that can extract sensitive information

•  Blackshades has already been used for blackmail and

extortion against famous personalities

•  Blackshades has an enormous variety of features –

making it extremely popular for cybercrime

2 / [state of the internet] / threat advisory

= about blackshades

•  Blackshades surfaced on the Internet in 2010

•  One of the most popular RATs in the criminal underground

•  The creators were recently arrested by the FBI, along with

90 other people involved in its distribution

•  Several attacks, including the blackmail and extortion of

Miss Teen USA and use by government entities, received

media attention


= stealth techniques

•  Blackshades is extremely hard to detect, and requires

expertise to remove. ⁄  File cloning allows the Blackshades payload to appear identical to a

legitimate file ⁄  Can detect the presence of a debugger ⁄  Contains anti-kill feature that can shut down or even crash the computer if

the user attempts to terminate the payload process ⁄  FUD (Fully Undetectable) crypters allow the payload to bypass antivirus

programs


= what can blackshades do?

•  Surveillance ⁄  Keylogging monitors for passwords and credentials ⁄  Webcam access allows for real-world monitoring of victim ⁄  Screen view (similar to commercial products such as TeamViewer) ⁄  Live Logger provides additional context data



•  Remote Administration Capabilities ⁄  Blackshades provides malicious

actors with all the same information as if they had access to the physical machine

⁄  Provides operating system administration utilities such as registry access and process enumeration

⁄  Attacker can remotely download and run executables on infected machine – including additional malware or DDoS toolkits



•  Additional features ⁄  Can take control of the mouse,

either for annoyance purposes (erratic mouse movement) or monetary purposes (forcing user to click on ads)

⁄  File hijacker is ransomware – encrypt victim’s files and prompt user to pay for the decryption key


= mitigation tips

•  Download the Blackshades RAT threat advisory for

indicators of infection and a YARA rule

•  Due to the high degree of stealth in the payload and

infection techniques, practice diligence when browsing

the Internet, reading emails, and using other Web-based

applications prone to attacks

•  Review the FBI advisory to learn about other potential

signs of infection


= threat advisory: blackshades RAT

•  Download the threat advisory at

www.stateoftheinternet.com/blackshades

•  This DDoS threat advisory includes: ⁄  Recent history of remote access tools ⁄  Example payloads and payload builder analysis ⁄  Analysis of infection and persistence process ⁄  Detailed overview of remote access and surveillance capability ⁄  Indicators of infection ⁄  Mitigation advice, including YARA rule


= about stateoftheinternet.com

•  StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.

•  Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.


Blackshades RAT: A Dangerous, Powerful Crimeware Kit Submission File Approved

Business

Transcript of Blackshades RAT: A Dangerous, Powerful Crimeware Kit Submission File Approved