Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

W32.Shadesrat (Blackshades) Author Arrested?

Created: 29 Jun 2012 13:44:24 GMT • Updated: 23 Jan 2014 18:14:25 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

In a global sting operation carried out by the FBI, over 24 people have been arrested, including an individual named Michael Hogue, a.k.a. "xVisceral". According to an underground forum post, xVisceral is involved in the Blackshades project, at the very least as a project manager. It is likely, however, that this Remote Access Tool (RAT) is the work of more than one individual.

"MICHAEL HOGUE, a/k/a "xVisceral," offered malware for sale, including remote access tools ("RATS") that allowed the user to take over and remotely control the operations of an infected victim-computer.  HOGUE's RAT, for example, enabled the user to turn on the web camera on victims' computers and spy on them, and to record every keystroke of the victim-computer's user.  If the victim visited a banking website and entered his or her user name and password, the key logging program could record that information, which could then be used to access the victim's bank account. HOGUE sold his RAT widely over the Internet, usually for $50 per copy and boasted that he had personally infected "50-100" computers with his RAT, and that he'd sold it to others who had infected "thousands" of computers with malware.  HOGUE's RAT infected computers in the United States, Canada, Germany, Denmark, and Poland, and possibly other countries."
Source: United States Attorney's Office

The coder for the tool appears to be "MarjinZ". The source code for BlackShades was leaked in 2010 and both aliases appear in the chat server admin database.
 

Figure 1. The chat server admin database
 

W32.Shadesrat is a Remote Access Tool (RAT) that has been available for sale since at least 2010.
 

Figure 2. Blackshades command-and-control user interface
 

W32.Shadesrat has been used in many targeted attacks, including a recent attack against Syrian activists (a variant Symantec detects as W32.Shadesrat.C). This variant of Shadesrat was sent to users through instant messages from a compromised account.

Once installed, the RAT connects to alos[REMOVED]6.myftp.org to await commands from the attacker. The attacker would have complete control over a compromised computer, along with the ability to record keystrokes, perform denial of service attacks, change the desktop background, as well as other functionality.

Shadesrat is not the only RAT targeting the Syrian Activists—we have also seen Backdoor.Krademok (a.k.a. Darkmoon) and XtremeRat.
According to the FBI report, Michael Hogue contacted the administrator of CarderProfit, a carding forum, in an effort to sell and promote Blackshades, which ultimately lead to his arrest. The penalties for conspiracy to commit computer hacking and distribution of malware are steep and can carry a sentence of up to ten years for each crime.

The Blackshades website is still online offering the RAT for sale; however, it does appear that xVisceral resigned from the project in 2011.
 

Figure 3. Resignation of xVisceral
 

We will continue to monitor this RAT for any further developments.