Symantec: Blackshades Remote Access Tool (RAT) still being bargained

Cybercriminals are increasingly using the “Blackshades” Remote Access Tool (RAT), a malicious program whose source code was leaked three years ago, according to an analysis by Symantec.

Santiago Cortes, a security response engineer at Symantec, wrote in a blog post, that Blackshades, which Symantec identifies as “W32.Shadesrat”, has been infecting more MS Windows computers and is being controlled by many hundreds of CnC Botnets worldwide, despite the alleged arrest of Michael Hogue (a/k/a “xVisceral,”) in June 2012, the author who wrote the malicious code (program, tool).

As already mentioned, Blackshades is a Remote Access Tool (RAT) that collects usernames and passwords for email and/or Web services, Instant Messaging applications (like ICQ), FTP clients and many more. It has been sold on Black Hat Forums since at least 2010.

It’s common for hackers to use RAT’s, which can be used to upload other Malicious Software to a computer or to destroy and manipulate files. To avoid AV-Software, the program itself is often frequently modified, that is why a Malware Variant changes its name in the eyes of AV-Softwareanalytics, for instance this file is called W32.Shadesrat.C, usually means (like in this case), it’s the 3rd (A,B,C) modified (Variant) or, Generation, if you want so.

In his post, Cortes mentions that Lithuania and the United States have the highest number of command-and-control servers. Mostly all of those "Servers" have hosted exploit kits at some point in time, a type of baited trap that delivers additional malware to CPU’s with software vulnerabilities (don’t forget to update). Referring to Blackshades, Cortes says, that India, the U.S. and the U.K. have the most computers infected with this RAT.

Cortes writes:

“The distribution of the threats suggests that the attackers attempted to infect as many computers as possible, the attackers do not seem to have targeted specific people or companies.”

Earlier this year, Symantec articled in a blog that a license to use Blackshades may cost around $40 to $100 a year.

To this graph, i’d like to point out to 2 earlier Posts of Malicious IPs , that likely shows how involved the small country Luxembourg, in the heart of Europe, is, inbetween Malicious Activity:

• IP 94.242.204.74 (From November 20th 2013)
• IP 80.92.67.155 (From November 24th 2013)

Symantec wrote as well that Blackshades had been promoted on underground forums by a person going by the nickname “xVisceral,”

In June 2012, the U.S. Attorney’s Office for the Southern District of New York announced the arrest of Michael Hogue (Rogue?) in Tucson, Arizona. Hogue was arrested with 23 others in a “carding” scheme, which involved trafficking in financial details.

FBI Article: Two-Year FBI Undercover “Carding” Operation Protected Over 400,000 Potential Cyber Crime Victims and Prevented Over $205 Million in Losses

He was charged with conspiracy to commit computer hacking and distribution of malware.