The Blackshades RAT – Entry-Level Cybercrime
Earlier this week the US government announced the arrest of more than 100 individuals linked to the Blackshades remote access Trojan (RAT). While most of those arrested were merely users of this RAT, the arrests included its co-creator, a 24-year-old Swede named Alex Yücel. Also arrested was a 23-year-old American named Brendan Johnston, who was involved in marketing the RAT to various hacker forums and provided support to “customers”.
Blackshades was sold as a toolkit, which was used to create the actual malware, detected as WORM_SWISYN.SM. The actual capabilities of the malware itself are fairly similar to other RATs: it can steal keystrokes and passwords, launch denial-of-service attacks, and download and run malware onto the affected system. It can also be configured by the attacker to spread via USB drives, if desired.
Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features”.
Figure 1. The Blackshades remote access trojan’s UI
The scale of the arrests—rarely have so many cybercriminals been arrested in one go—is entirely due to Blackshades’ ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).
There were relatively few barriers to entry— in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.
This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.
This case should serve as a warning to all would-be low level cybercriminals: law enforcement has the capability and willingness to go after cybercriminals of all capabilities and skills, and you are not too far from the long arms of the law.
Trend Micro protects users from this threat by detecting the created RATs, as well as blocking the main site that sold Blackshades.
Analysis by Rhena Inocencio.