The FBI, Europol, and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the creepware known as Blackshades (a.k.a. W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, sharing information that allowed the agency to track down those suspected of involvement. As a result of this operation, the website selling Blackshades has been taken down and we expect a significant reduction in activity involving this malware.
Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website, bshades.eu for US$40-$50. Competitively priced, with a rich feature list, Blackshades provides the attacker with complete control over an infected machine. A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.
Figure 1. The Blackshades command-and-control panel
The arrests come just days after the FBI announced that it would take a more aggressive stance against cybercriminals who target American citizens, promising imminent searches, arrests and indictments.
Figure 2. Computers infected with Blackshades (2013 – 2014)
Figure 3. Top five countries affected by Blackshades activity (2013 – 2014)
As part of the sting operation, the source of this RAT – bshades.eu – has been taken offline. This will seriously affect the sale and distribution of Blackshades. Symantec expects there to be a significant decrease in activity for Blackshades in 2014. Although cracked builders and the source code for Blackshades remains online on various forums, we expect cybercriminals will begin to adopt other Trojans.
This was not the first law enforcement action taken against Blackshades. In 2012, the FBI arrested Michael Hogue (a.k.a. xVisceral) on suspicion of involvement in the Blackshades project along with over 20 other individuals. However, the malware remained on sale and Blackshades continued to see increased activity in 2013.
Organized cybercriminal groups have netted millions of euro in well-organized attacks, transferring large sums of money using Blackshades infected computers. In a recent operation dubbed Francophone, Blackshades was used as part of a sophisticated social engineering scheme to target French companies in financially motivated attacks. Total financial losses involving Blackshades activity would be hard to accurately gauge, however individual cases indicate they are significant. Blackshades was also observed in politically motivated attacks during The Arab Spring. Political activists were targeted in Libya and Syria during the uprisings with one variant Blackshades (W32.Shadesrat.C).
Symantec welcomes the action taken by the FBI and remains committed to working with law enforcement and private industry partners in the effort to tackle these increasingly sophisticated cybercriminal operations.
Symantec protects users against Blackshades under the following detection names.
Intrusion Prevention Signatures
- System Infected: W32.Shadesrat 2
- System Infected: W32.Shadesrat Activity
- System Infected: W32.Shadesrat Activity 2
- System Infected: W32.Shadesrat Activity 3
If you believe you may be infected with the creepware known as Blackshades and are not a Symantec customer, you can use our free tool Norton Power Eraser to remove it from your system.