syria fighter
A rebel fighter sits on stacked chairs as he aims his weapon through a hole inside a house in the town of Morek in Hama province, Syria Reuters

A group of pro-Assad hackers in Syria are using activist websites, WhatsApp, Viber, YouTube and social media to spread malware which claims to help protect privacy.

The group of hackers has infected more than 10,000 victims using sophisticated techniques to hide the malware they are sharing on websites visited by activists, social media platforms like Facebook, YouTube, Skype and even on instant messaging services WhatsApp and Viber.

The news comes from a report from Kasperksy Lab entitled "Syrian Malware - the ever-evolving threat" which says the group of hackers is highly organised and is targeting victims inside as well as outside of Syria.

The group is playing on the fears of victims in the worn-torn country by spreading fake messages (via email, Skype, Viber etc) which claim to give details about imminent cyber-attacks.

The hackers are using various pieces of malware called Remote Access Trojans (RATs) which, once installed on a victim's computer, give the attackers full access to the infected systems - including a computers camera and microphone.


While most of the victims have been found inside Syria, some have also been found in other Middle Eastern countries, the US, France, Morocco and Turkey.

Kasperksy Lab has not gone as far as identifying the attackers - or saying if they are state-sponsored - it has detailed how the group is organised.

According to the Kaspersky's global research and analysis team, the hacker group is broken down into three teams - Team Hacker and Assad Penetrations Unit; Anonymous Syria Al Assad Unit and Management of Electronic Monitoring and Central Tracking Unit.

The researchers collected details about each team from posts on forums or websites they infiltrated, with the report breaking down each team into individual hackers and their roles with the team.

Syrian Electronic Army

The Assad regime is already thought to be backing the Syrian Electronic Army (SEA) which rose to prominence in 2013 with several high-profile attacks on western media organisations including the BBC, AP and the Guardian.

It is unclear whether this there is any link between the SEA and this new group of hackers, though the methods being employed are very different.

The group uses servers based in Syria, Russia and Lebanon to carry out the attacks.

Hiding in plain sight

While most of the RATs being used are identifiable by most anti-virus software, the group is using a range of obfuscation techniques to bypass security measures:

"In our research we were able to collect more than 100 malware samples used to attack Syrian citizens. Although most of these samples are known, cybercriminals rely on a plethora of obfuscation tools and techniques in order to change the malware structure so as to bypass signature scanning and avoid antivirus detection," the report says.

Activist have however been fighting back against the attacks, with Kaspersky reporting that denial of service attacks have been launched against the servers hosting the malware.

The hacker group uses servers based in Syria, Russia and Lebanon to carry out the attacks.

Kaspersky Lab reporters believe that this is just the beginning of a bigger cyber-campaign by the Syrian hackers targeting ever more higher-profile victims:

"We expect these attacks to continue and evolve both in quality and quantity. We expect the attackers to start using more advanced techniques to distribute their malware, using malicious documents or drive-by download exploits. With enough funding and motivation they might also be able to get access to zero day vulnerabilities, which will make their attacks more effective and allow them to target more sensitive or high profile victims."