The stealthy Blackshades Remote Access Tool makes it all too easy for malicious actors to infect computer with a powerful and multifeatured trojan. Once infected, attackers can monitor audio and video, look through webcams, capture screens, log keystrokes, and a wide variety of other dangerous features. Learn how you can protect your computer and your sensitive information from this severe cybersecurity threat in this short slide presentation.
2. = what is blackshades?
• Blackshades RAT is a Remote Access Tool – an
exceptionally powerful cybercrime threat
• RATs (Also known as Remote Administration Trojans) are
surveillance tools that can extract sensitive information
• Blackshades has already been used for blackmail and
extortion against famous personalities
• Blackshades has an enormous variety of features –
making it extremely popular for cybercrime
2 / [state of the internet] / threat advisory
3. = about blackshades
• Blackshades surfaced on the Internet in 2010
• One of the most popular RATs in the criminal underground
• The creators were recently arrested by the FBI, along with
90 other people involved in its distribution
• Several attacks, including the blackmail and extortion of
Miss Teen USA and use by government entities, received
media attention
3 / [state of the internet] / threat advisory
4. = stealth techniques
• Blackshades is extremely hard to detect, and requires
expertise to remove.
⁄ File cloning allows the Blackshades payload to appear identical to a
legitimate file
⁄ Can detect the presence of a debugger
⁄ Contains anti-kill feature that can shut down or even crash the computer if
the user attempts to terminate the payload process
⁄ FUD (Fully Undetectable) crypters allow the payload to bypass antivirus
programs
4 / [state of the internet] / threat advisory
5. = what can blackshades do?
• Surveillance
⁄ Keylogging monitors for passwords and credentials
⁄ Webcam access allows for real-world monitoring of victim
⁄ Screen view (similar to commercial products such as TeamViewer)
⁄ Live Logger provides additional context data
5 / [state of the internet] / threat advisory
6. = what can blackshades do?
• Remote Administration
Capabilities
⁄ Blackshades provides malicious
actors with all the same
information as if they had
access to the physical machine
⁄ Provides operating system
administration utilities such as
registry access and process
enumeration
⁄ Attacker can remotely
download and run executables
on infected machine – including
additional malware or DDoS
toolkits
6 / [state of the internet] / threat advisory
7. = what can blackshades do?
• Additional features
⁄ Can take control of the mouse,
either for annoyance purposes
(erratic mouse movement) or
monetary purposes (forcing
user to click on ads)
⁄ File hijacker is ransomware –
encrypt victim’s files and
prompt user to pay for the
decryption key
7 / [state of the internet] / threat advisory
8. = mitigation tips
• Download the Blackshades RAT threat advisory for
indicators of infection and a YARA rule
• Due to the high degree of stealth in the payload and
infection techniques, practice diligence when browsing
the Internet, reading emails, and using other Web-based
applications prone to attacks
• Review the FBI advisory to learn about other potential
signs of infection
8 / [state of the internet] / threat advisory
9. = threat advisory: blackshades RAT
• Download the threat advisory at
www.stateoftheinternet.com/blackshades
• This DDoS threat advisory includes:
⁄ Recent history of remote access tools
⁄ Example payloads and payload builder analysis
⁄ Analysis of infection and persistence process
⁄ Detailed overview of remote access and surveillance capability
⁄ Indicators of infection
⁄ Mitigation advice, including YARA rule
9 / [state of the internet] / threat advisory
10. = about stateoftheinternet.com
• StateoftheInternet.com, brought to you by Akamai, serves
as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find current
and archived versions of Akamai’s State of the Internet
(Connectivity and Security) reports, the company’s data
visualizations, and other resources designed to put
context around the ever-changing Internet landscape.
10 / [state of the internet] / threat advisory