![]() Similarly, njRAT has been widely used by attackers in Syria, and is frequently packaged with dummy or functional programs. Instead we suspect this was developed for yet another targeted attack against the opposition. We do not believe this indicates a broader attack against Psiphon 3 users throughout the globe. It is unsurprising that it, along with other security and communications tools used by Syrian opposition groups, should be maliciously re-purposed. ![]() Psiphon 3 is a widely used and trusted circumvention product. ![]() The malware is believed to be part of an active campaign. ![]() The file name and icon are intended to appear identical to a genuine Psiphon 3 executable file. If in doubt, visit psiphon.ca to download a new copy. The Psiphon team is monitoring the attack, and Karl Kathuria (Psiphon’s VP) encourages all new users of Psiphon to check the validity of their client. This brief note describes the implant’s appearance and behavior, then explains how to obtain and verify genuine copies of Psiphon 3. For example, in June 2013 we published a report describing how attackers had maliciously modified the proxy software Freegate. ![]() Interestingly, this is not the first time we identified a malicious repackaging of circumvention programs in the context of the Syrian conflict. This is likely part of a targeted attack against the Syrian opposition by a known actor, not all users of Psiphon. When executed, the implant communicates with a Syrian Command and Control server. The malware contains both a functioning copy of Psiphon, and the njRAT trojan. In the past 24 hours, we have identified a malicious repackaging of the Psiphon 3 circumvention tool. The Citizen Lab developed the original design of Psiphon, a censorship circumvention software, which was spun out of the lab into a private Canadian corporation (Psiphon Inc.) in 2008. ![]()
0 Comments
Leave a Reply. |