Spying Trojan targets Iranian and Syrian web surfers, dissidents

Green Simurgh logoWhile the press is obsessed with the Flame malware, its complexity, size and the possibility that it may have targeted Iran, there is a far more nefarious piece of malicious code targeting Iranian citizens, not their government.

Late last week Morgan Marquis-Boire from CitizenLab.org discovered a tool used by Iranians to protect their privacy and by dissidents who fear oppression related to their online communications was being distributed with malware inside.

Many Iranians use a free encrypted proxy tool called Simurgh. It is also being adopted by anti-government groups in Syria, interested in concealing their online activities. The official version of Simurgh can be downloaded from the official website https://simurghesabz.net, but Trojanized versions called Simurgh-setup.zip have been appearing on file sharing sites for quite some time.

The real software is standalone and does not require installation, which is ideal for people who want to run it from a USB memory stick at cybercafes and other public access points.

Sophos detecting SimurghFortunately Sophos Anti-Virus proactively detected the malicious version as HIPS/RegMod-012 for customers who have our Host Intrusion Prevention System (HIPS) enabled. We have also released file-based detection as Mal/Generic-L.

Users who use a search engine to find Simurgh and download the infected version will be prompted with an installer screen, instead of the application itself when the file is executed.

Simurgh Trojan installer

After it is installed it will begin tracking all of your activity. It keeps a log of your username, machine name, every window clicked and keystroke entered. It attempts to submit these logs to some servers located in the United States, but registered to an entity that appears to be based in Saudi Arabia.

Simurgh Trojan log file

Fortunately one of the first things that happens upon launching Simurgh (the real one and the fake one) is that it connects to a web page that displays your IP address so you can confirm you are successfully connected to the proxy.

Simurgh warningThe Simurgh team have found a way to warn/notify users of the Trojaned version. If you see a warning like this one, be sure to stop using it immediately and remove the malware infected version from your computer.

It is almost always a bad idea to download and run files from unknown websites, especially files from torrent and file sharing sites. You should always download files from the source, no different than you should always type links instead of clicking them in emails.

More importantly though is the intended victims and this malware’s likely origin. Unlike Flame, which is a highly targeted malware that has only been found on a handful of computers globally, this malware is targeting users for whom having their communications compromised could result in imprisonment or worse.

Many thousands of people depend on the legitimate Simurgh service, which makes it likely that far more people have been impacted by this malware. Let’s not take our attention from what is important here, the safety of the majority of internet users.