Akamai's Prolexic Security Engineering & Research Team (PLXsert) is warning companies of stealth surveillance and computer hijacking attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit.
When malicious actors infect machines with the Blackshades RAT malware, they gain the ability monitor video and audio data, record keylogging information from the user, and harvest sensitive credentials to banking, email, websites and applications. Remote access capabilities also let attackers hijack victim machines to run executables and lock out owners' file access, according to an advisory released this morning.
Blackshades is among the most popular RATs in the criminal underground. It's equipped with an ample list of crimeware features:
- The surveillance feature mimics the capabilities of legitimate software.
- Victims have no idea they are sharing information.
- Webcam and screen captures provide tangible data about the victim.
- Keylog data can provide access to sensitive information in real-time as it is typed.
It's a threat that has caught the attention of the FBI. So far, the agency has arrested close to 100 people allegedly connected to the Blackshades RAT operation.
"Blackshades RAT is a relatively new and very powerful crimeware kit that can expose confidential information as the user works," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "It's like having someone watch over the user's shoulder without their knowledge. In addition, the malicious actor can use the infected computers to run malicious programs and even lock users out of their own files."
Payloads can be tough to detect and challenging to defend against. A typical infection consists of a multi-stage attack, where the victim is tricked into downloading a file, which will subsequently download and execute the actual Blackshades payload.
Once the payload infects a system, it typically goes through a couple stages:
- The stealth stage, where the RAT tries to leave the smallest footprint possible on the infected system; and
- The "establishing persistence" stage, which allows the malware to survive system reboots.
- Once stealth and persistence are attained, a multitude of illegitimate capabilities become available to the malicious actor.
PLXsert expects the Blackshades RAT toolkit will gain more traction and continue to be a persistent threat for motivated cyber criminals. PLXsert will continue to monitor the use of Blackshades RAT and provide updates when applicable.