The sole purpose of this malware seems to be to expose the anti-ISIS groups or people and annihilate them. RSS which is a rabid ISIS opposer and is situated within the ISIS stronghold of Raqqah is being primarily targeted by this malware. Citizen Labs states that email sender claims to be from a Canadian expat group which wants to help in the fight against ISIS. The message body contains a URL and tell the receiver to check about the reports of ISIS. On clicking this URL, the victim is lead to a file-sharing account with TempSend, and downloads an archive called slideshow.zip. The email being sent to the rebels is given below The slideshow.zip contains a dangerous spyware called AdobeR1.exe alongwith some maps of Syria. This plain vanilla AdobeR1 spyware then send back the victims IP address to its ISIS masters when the system is booted. Based on the IP address received from this IP address, the ISIS then pinpoints the rebel group or user by narrowing down the geolocation. Translated English version Thank you for your efforts to deliver a true picture of the reality of life in Raqqah. As Syrians residing in Canada we are working with media because we believe in the importance of shedding light on the realities of life in Syria, and Raqqah in particular. We are preparing a lengthy news report on the realities of life in Raqqah. We are sharing some information with you with the hope that you will correct it in case it contains errors. We have prepared a map of the city of Raqqah, in addition to a preliminary report. We hope that you have a look at it with them and inform us of any errors. We also hope that if you happen to be on Facebook, you could provide us with the account of the person responsible for the campaign, if you don’t mind, so that we can communicate with him directly. You can see a preliminary copy of the report on this linkhttps://tempsend [DOT]com/[Redacted]With all respect [Name Redacted]
Citizen Lab says that since Syria is a very poor internet developed country and internet usage is scarce and predominantly available in Internet cafes, the ISIS can track down the user quite easily once the victim boots his/her system. As said above, the malware is quite plain with no obfuscation processes, In addition, the malware uses the old PKWARE implementation of zip encryption, which is not particularly secure. The password for the zipped file is also present in the binary without encryption or obfuscation. Citizen Labs attributes this malware to three sources
Pro-regime / regime-linked malware groups ISIS-linked hackers Other, unknown actors
Based on the case study, Citizen Labs says that the most probable originator of the malware is ISIS. Resource Citizen Lab.
