06:16 PM
Connect Directly

Blackshades Boss Pleads Not Guilty

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

Alex Yucel, 24, the alleged co-author of the Blackshades remote access Trojan (RAT) and owner-operator of the BlackShades organization, pleaded not guilty Thursday to multiple cybercrime charges levied against him last week as part of a major FBI sting that netted more than 90 other arrests. (BlackShades co-author Michael Hogue, a.k.a. "xVisceral," arrested in June 2012, has pleaded guilty.) If convicted, Yucel, a.k.a. "marjinz," a.k.a. "Victor Soltan," faces up to 15 years in prison -- and the evidence against him is extensive.

As described in court documents describing charges against another Blackshades employee, law enforcement has records of Yucel paying to lease computers, employee reviews he wrote, employee payment records, and chains of emails between him and an insider who turned FBI informant.

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

As for the malware itself (detected as WORM_SWISYN.SM), it is a very robust, very user-friendly RAT toolkit. As Symantec describes, "A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.

It can be used to log keystrokes, launch denial-of-service attacks, and download and run malware onto the affected system. It can spread via USB drives, social network accounts, or instant messages; it even automatically generates a draft of the message. It includes built-in marketplaces for buying bots and crypters.

Brian Wallace at Cyclance gives a good rundown of the malware's features, adding:

Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features.”

In addition to being a friendly one-stop-shop, the organization has provided professional service. Court documents state that Yucel had hired a marketing director, a website developer, and a team of customer service representatives. The malware was frequently updated. The organization had a detailed database of over 6,000 customer profiles.

It seemed that the people running BlackShades forgot that they were running an illegal operation. The $40 price tag for their product and services -- plus the fact that older versions of the software were available for free -- did not reflect the high risk of doing business. Although the low price helped make BlackShades popular, the malware wasn't terribly lucrative. Law enforcement estimates that the company made approximately $350,000 over the period from September 2011 to April 2014 -- that's only an average of $7,095 per month to split between all employees.

Although the US government arrested over 90 Blackshades employees and customers, seized more than 1,900 domain names used by Blackshades customers to control infected computers, and shut down the site used to sell the product, security experts say that the threat still exists.

Adam Kujawa, lead of the malware intelligence team at Malwarebytes, wrote today that after just a little searching he found and downloaded a freemium version of BlackShades -- not as up-to-date or feature-rich as the most recent version, but still dangerous. "So if you are wondering if an outdated version of Blackshades is even a threat," writes Kujawa, "the answer is absolutely."

On the plus side, says Kujawa, the BlackShades business was suffering a bit recently anyway. He writes:

Fortunately, the interest in Blackshades has decreased due to an array of different issues with the product. Customers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions discovered that opened a backdoor onto the attackers' system, essentially turning a bad guy into just another victim.

TrendMicro researchers say that another problem BlackShades brought upon itself was that, because of its very accessible, user-friendly nature, it appealed to amateur ne'er-do-wells, enabled "entry-level cybercrime," and left itself more exposed to risk. As TrendMicro Threat Response Engineer Rhena Inocencio wrote Monday:

The scale of the arrests -- rarely have so many cybercriminals been arrested in one go -- is entirely due to Blackshades' ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

There were relatively few barriers to entry -- in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

While the Blackshades' product and services were exemplary, Yucel's failings in finance and risk management might be his undoing.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/3/2014 | 10:51:48 AM
More interested in what charges will really stand up in court
This is going to be an odd one.

Blackshades is, obviously, an abomination, and despite the protestations of some of the customers, I very much doubt there is any legitimate reason for a normal person to buy such a thing.

However, I can see the same arguments would apply to (for example) lockpicks, spy cameras and dozens of other items that have few if any legitimate uses - however, absent specific laws, they have yet to make selling such things illegal (even if possession may be in many places) and I have yet to see any claims that the defendent himself actually took part in any of the illegal activity.

Absent that, holding him for conspiracy (much less having him yanked from a foreign country to do so) may turn out to be an expensive mistake.
Sara Peters
Sara Peters,
User Rank: Author
6/2/2014 | 9:24:00 AM
Re: Verdict and Adaptation
@RyanSepe  I totally agree, Ryan. Someone else will pick up the mantle of Blackshades, or someone else in the biz will resurrect it or build another new user-friendly RAT. I'm glad that they had such a successful sting. Hopefully some of the charges will stick. But it's certainly not the end.
User Rank: Ninja
5/30/2014 | 10:11:59 PM
Verdict and Adaptation
I will be interested to see the verdict for the owners of blackshades.

However, I believe it to be only a matter of time before this RAT source code is adapted and becomes more sophisticated. It will be renamed and will rear its ugly head once more. Malware many times seems to follow this trend, I can't see why such an easily usable software that provides all types of malicious capabilities wouldn't.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI.
PUBLISHED: 2018-06-21
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
PUBLISHED: 2018-06-21
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attack...