|FBI Private Industry Notification: FBI led takedown of “Blackshades Remote Access Tool” purchasers, developers||Download|
|FBI Liaison Alert System #R-000029-MW||Download|
|Blackshades Domain List||Download XLS|
(U) On 13 May 2014, FBI NY initiated a coordinated takedown focusing on individuals who purchased the Blackshades malware. Field offices across the United States, as well as foreign partners, engaged in subject interviews, searches, hardware seizures, and arrests. The FBI seized the primary domain utilized to purchase Blackshades products.
(U) Blackshades has several products marketed for $5 to $40 USD, most of which are malware. These products include Blackshades Remote Access Tool (RAT), Blackshades Password Recovery, Blackshades Stealth, Blackshades Fusion, Blackshades Commander, Blackshades Crypter, and Blackshades Virtual Private Network (VPN). The most popular and versatile product sold by Blackshades is the Blackshades RAT. These are purchased as “off the shelf” products with a wide variety of features that allow a cyber criminal to use as they desire. Once the victim computer is infected, common uses for Blackshades include: access to victims’ computers; theft of passwords and credentials; key-logging ability; and Distributed Denial of Service attacks.
(U) Prior to the coordinated actions, two subjects associated with the Blackshades organization were arrested. Alex Yucel was identified as the developer of the Blackshades malware. Yucel not only wrote software code behind the malware, but also was responsible for improvements and updates to the malware and control of the Blackshades server. Yucel was arrested by Moldovan authorities in November 2013 and is currently awaiting extradition to the United States. Michael Hogue, a known seller and “customer service advisor” in the Blackshades organization was arrested in June 2012 and subsequently pled guilty to the charges against him.
(U) How Blackshades Connects to Victim’s Computers:
(U) In order for a connection to be established, the malware on a victim computer must know the IP address and listening port on the command and control computer. Given that many users have a dynamic IP address controlled and assigned by their Internet Service Provider, the malware is programmed to call to a unique domain names created by the Blackshades user. The Blackshades user associated this name with their IP address using any domain hosting service of their choice. In this manner, when the malware calls to the established domain, standard DNS protocols will route the malware to the Blackshades user’s IP address.
(U) The FBI is providing approximately 13,600 domains used by Blackshades users, which have been observed receiving status updates or have participated in previous attacks. These URLs are located within the United States and worldwide. The FBI is distributing these indicators to enable identification of Blackshades infections on their networks. The FBI has high confidence that these indicators were involved in past Blackshades related activity. The FBI recommends that your organization help victims identify and remove the malicious code.
Notes on Domain List: Computers infected with Blackshades may make DNS queries for these domains and attempt to connect to the corresponding IP addresses (usually on destination port 3080, 3333 or 4444). Disclaimer: these domains may be used for legit traffic.