The creators of a highly advanced remote access Trojan known as SilverRAT have established connections to both Turkey and Syria and are gearing up to launch an updated version of their tool. The current iteration, SilverRAT v1, functions exclusively on Windows systems, offering capabilities for constructing malware tailored for keylogging and ransomware attacks. Cyfirma, a Singapore-based cybersecurity firm, released a threat analysis on January 3, outlining SilverRAT’s destructive features, such as the ability to delete system restore points.
Cyfirma’s analysis emphasizes the increasing sophistication of cybercriminal groups in the region, underscoring the evolving nature of the underground markets. The first version of SilverRAT surfaced in October when its source code was leaked by unidentified actors. The leaked code comprised a builder enabling users to create a remote access Trojan with specific functionalities.
Noteworthy features identified by Cyfirma include the Trojan’s capacity to utilize either an IP address or webpage for command and control, evasion techniques for antivirus software, the capability to erase system restore points, and delayed execution of payloads. Two threat actors, operating under the aliases “Dangerous silver” and “Monstermc,” are identified as the developers behind both SilverRAT and a preceding program, S500 RAT.
These hackers conduct their operations on platforms such as Telegram and various online forums, where they engage in the sale of malware-as-a-service, distribute cracked RATs from other developers, and offer a range of related services. The group, known as Anonymous Arabic, maintains a blog and website. Rajhans Patel, a threat researcher with Cyfirma, has mentioned, “There are two people managing SilverRAT.
The dashboard designed for crafting trojans in SilverRAT. Source: Cyfirma.
The Anonymous Arabic group is active on forums such as Turkhackteam, 1877, and at least one Russian forum. In addition to developing SilverRAT, the group provides distributed denial-of-service (DDoS) attacks on demand through a botnet named “BossNet,” as observed since late November 2023.
While state-sponsored hacking groups from Iran and Israel have traditionally dominated the Middle East’s threat landscape, indigenous groups like Anonymous Arabic continue to thrive in the cybercrime markets. The ongoing evolution of tools like SilverRAT underscores the dynamic nature of the underground markets in the region.
The members of Anonymous Arabic exhibit diverse backgrounds, with at least one identified as a former game hacker in his early 20s residing in Damascus, Syria. Data gathered by Cyfirma researchers from the hacker’s Facebook profile, YouTube channel, and social media posts reveal a history of hacking activities initiated during his teenage years.
Cyfirma notes a growing trend where young hackers start their careers by exploiting games or launching denial-of-service attacks against gaming systems. The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) has identified the transition from juvenile hackers to cybercriminal enterprises as a significant threat. The CSRB recommends comprehensive programs to divert juveniles away from cybercrime, as illustrated by the success of groups like Lapsus$ in attacking well-resourced companies.
However, the allure of cybercrime persists for young programmers and technology-savvy teenagers. Sarah Jones, a cyber threat intelligence research analyst at Critical Start, emphasizes the diversity within hacker communities, acknowledging that some hackers may progress from game hacks to more serious tools and techniques. Despite efforts to redirect juveniles, cybercriminals often target industries and countries with weaker cyber defenses.
CyberSec84 | Cybersecurity news. 
Leave a comment