Spying Trojan targets Iranian and Syrian web surfers, dissidents

Filed Under: Data loss, Featured, Malware, Privacy

Green Simurgh logoWhile the press is obsessed with the Flame malware, its complexity, size and the possibility that it may have targeted Iran, there is a far more nefarious piece of malicious code targeting Iranian citizens, not their government.

Late last week Morgan Marquis-Boire from CitizenLab.org discovered a tool used by Iranians to protect their privacy and by dissidents who fear oppression related to their online communications was being distributed with malware inside.

Many Iranians use a free encrypted proxy tool called Simurgh. It is also being adopted by anti-government groups in Syria, interested in concealing their online activities. The official version of Simurgh can be downloaded from the official website https://simurghesabz.net, but Trojanized versions called Simurgh-setup.zip have been appearing on file sharing sites for quite some time.

The real software is standalone and does not require installation, which is ideal for people who want to run it from a USB memory stick at cybercafes and other public access points.

Sophos detecting SimurghFortunately Sophos Anti-Virus proactively detected the malicious version as HIPS/RegMod-012 for customers who have our Host Intrusion Prevention System (HIPS) enabled. We have also released file-based detection as Mal/Generic-L.

Users who use a search engine to find Simurgh and download the infected version will be prompted with an installer screen, instead of the application itself when the file is executed.

Simurgh Trojan installer

After it is installed it will begin tracking all of your activity. It keeps a log of your username, machine name, every window clicked and keystroke entered. It attempts to submit these logs to some servers located in the United States, but registered to an entity that appears to be based in Saudi Arabia.

Simurgh Trojan log file

Fortunately one of the first things that happens upon launching Simurgh (the real one and the fake one) is that it connects to a web page that displays your IP address so you can confirm you are successfully connected to the proxy.

Simurgh warningThe Simurgh team have found a way to warn/notify users of the Trojaned version. If you see a warning like this one, be sure to stop using it immediately and remove the malware infected version from your computer.

It is almost always a bad idea to download and run files from unknown websites, especially files from torrent and file sharing sites. You should always download files from the source, no different than you should always type links instead of clicking them in emails.

More importantly though is the intended victims and this malware's likely origin. Unlike Flame, which is a highly targeted malware that has only been found on a handful of computers globally, this malware is targeting users for whom having their communications compromised could result in imprisonment or worse.

Many thousands of people depend on the legitimate Simurgh service, which makes it likely that far more people have been impacted by this malware. Let's not take our attention from what is important here, the safety of the majority of internet users.

, , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.