06:16 PM
Connect Directly

Blackshades Boss Pleads Not Guilty

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

Alex Yucel, 24, the alleged co-author of the Blackshades remote access Trojan (RAT) and owner-operator of the BlackShades organization, pleaded not guilty Thursday to multiple cybercrime charges levied against him last week as part of a major FBI sting that netted more than 90 other arrests. (BlackShades co-author Michael Hogue, a.k.a. "xVisceral," arrested in June 2012, has pleaded guilty.) If convicted, Yucel, a.k.a. "marjinz," a.k.a. "Victor Soltan," faces up to 15 years in prison -- and the evidence against him is extensive.

As described in court documents describing charges against another Blackshades employee, law enforcement has records of Yucel paying to lease computers, employee reviews he wrote, employee payment records, and chains of emails between him and an insider who turned FBI informant.

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

As for the malware itself (detected as WORM_SWISYN.SM), it is a very robust, very user-friendly RAT toolkit. As Symantec describes, "A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.

It can be used to log keystrokes, launch denial-of-service attacks, and download and run malware onto the affected system. It can spread via USB drives, social network accounts, or instant messages; it even automatically generates a draft of the message. It includes built-in marketplaces for buying bots and crypters.

Brian Wallace at Cyclance gives a good rundown of the malware's features, adding:

Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features.”

In addition to being a friendly one-stop-shop, the organization has provided professional service. Court documents state that Yucel had hired a marketing director, a website developer, and a team of customer service representatives. The malware was frequently updated. The organization had a detailed database of over 6,000 customer profiles.

It seemed that the people running BlackShades forgot that they were running an illegal operation. The $40 price tag for their product and services -- plus the fact that older versions of the software were available for free -- did not reflect the high risk of doing business. Although the low price helped make BlackShades popular, the malware wasn't terribly lucrative. Law enforcement estimates that the company made approximately $350,000 over the period from September 2011 to April 2014 -- that's only an average of $7,095 per month to split between all employees.

Although the US government arrested over 90 Blackshades employees and customers, seized more than 1,900 domain names used by Blackshades customers to control infected computers, and shut down the site used to sell the product, security experts say that the threat still exists.

Adam Kujawa, lead of the malware intelligence team at Malwarebytes, wrote today that after just a little searching he found and downloaded a freemium version of BlackShades -- not as up-to-date or feature-rich as the most recent version, but still dangerous. "So if you are wondering if an outdated version of Blackshades is even a threat," writes Kujawa, "the answer is absolutely."

On the plus side, says Kujawa, the BlackShades business was suffering a bit recently anyway. He writes:

Fortunately, the interest in Blackshades has decreased due to an array of different issues with the product. Customers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions discovered that opened a backdoor onto the attackers' system, essentially turning a bad guy into just another victim.

TrendMicro researchers say that another problem BlackShades brought upon itself was that, because of its very accessible, user-friendly nature, it appealed to amateur ne'er-do-wells, enabled "entry-level cybercrime," and left itself more exposed to risk. As TrendMicro Threat Response Engineer Rhena Inocencio wrote Monday:

The scale of the arrests -- rarely have so many cybercriminals been arrested in one go -- is entirely due to Blackshades' ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

There were relatively few barriers to entry -- in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

While the Blackshades' product and services were exemplary, Yucel's failings in finance and risk management might be his undoing.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/3/2014 | 10:51:48 AM
More interested in what charges will really stand up in court
This is going to be an odd one.

Blackshades is, obviously, an abomination, and despite the protestations of some of the customers, I very much doubt there is any legitimate reason for a normal person to buy such a thing.

However, I can see the same arguments would apply to (for example) lockpicks, spy cameras and dozens of other items that have few if any legitimate uses - however, absent specific laws, they have yet to make selling such things illegal (even if possession may be in many places) and I have yet to see any claims that the defendent himself actually took part in any of the illegal activity.

Absent that, holding him for conspiracy (much less having him yanked from a foreign country to do so) may turn out to be an expensive mistake.
Sara Peters
Sara Peters,
User Rank: Author
6/2/2014 | 9:24:00 AM
Re: Verdict and Adaptation
@RyanSepe  I totally agree, Ryan. Someone else will pick up the mantle of Blackshades, or someone else in the biz will resurrect it or build another new user-friendly RAT. I'm glad that they had such a successful sting. Hopefully some of the charges will stick. But it's certainly not the end.
User Rank: Ninja
5/30/2014 | 10:11:59 PM
Verdict and Adaptation
I will be interested to see the verdict for the owners of blackshades.

However, I believe it to be only a matter of time before this RAT source code is adapted and becomes more sophisticated. It will be renamed and will rear its ugly head once more. Malware many times seems to follow this trend, I can't see why such an easily usable software that provides all types of malicious capabilities wouldn't.
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.