W32.Shadesrat (Blackshades) Author Arrested?
In a global sting operation carried out by the FBI, over 24 people have been arrested, including an individual named Michael Hogue, a.k.a. "xVisceral". According to an underground forum post, xVisceral is involved in the Blackshades project, at the very least as a project manager. It is likely, however, that this Remote Access Tool (RAT) is the work of more than one individual.
"MICHAEL HOGUE, a/k/a "xVisceral," offered malware for sale, including remote access tools ("RATS") that allowed the user to take over and remotely control the operations of an infected victim-computer. HOGUE's RAT, for example, enabled the user to turn on the web camera on victims' computers and spy on them, and to record every keystroke of the victim-computer's user. If the victim visited a banking website and entered his or her user name and password, the key logging program could record that information, which could then be used to access the victim's bank account. HOGUE sold his RAT widely over the Internet, usually for $50 per copy and boasted that he had personally infected "50-100" computers with his RAT, and that he'd sold it to others who had infected "thousands" of computers with malware. HOGUE's RAT infected computers in the United States, Canada, Germany, Denmark, and Poland, and possibly other countries."
Source: United States Attorney's Office
The coder for the tool appears to be "MarjinZ". The source code for BlackShades was leaked in 2010 and both aliases appear in the chat server admin database.
Figure 1. The chat server admin database
W32.Shadesrat is a Remote Access Tool (RAT) that has been available for sale since at least 2010.
Figure 2. Blackshades command-and-control user interface
W32.Shadesrat has been used in many targeted attacks, including a recent attack against Syrian activists (a variant Symantec detects as W32.Shadesrat.C). This variant of Shadesrat was sent to users through instant messages from a compromised account.
Once installed, the RAT connects to alos[REMOVED]6.myftp.org to await commands from the attacker. The attacker would have complete control over a compromised computer, along with the ability to record keystrokes, perform denial of service attacks, change the desktop background, as well as other functionality.
Shadesrat is not the only RAT targeting the Syrian Activists—we have also seen Backdoor.Krademok (a.k.a. Darkmoon) and XtremeRat.
According to the FBI report, Michael Hogue contacted the administrator of CarderProfit, a carding forum, in an effort to sell and promote Blackshades, which ultimately lead to his arrest. The penalties for conspiracy to commit computer hacking and distribution of malware are steep and can carry a sentence of up to ten years for each crime.
The Blackshades website is still online offering the RAT for sale; however, it does appear that xVisceral resigned from the project in 2011.
Figure 3. Resignation of xVisceral
We will continue to monitor this RAT for any further developments.