Alex Yucel, 24, the alleged co-author of the Blackshades remote access Trojan (RAT) and owner-operator of the BlackShades organization, pleaded not guilty Thursday to multiple cybercrime charges levied against him last week as part of a major FBI sting that netted more than 90 other arrests. (BlackShades co-author Michael Hogue, a.k.a. "xVisceral," arrested in June 2012, has pleaded guilty.) If convicted, Yucel, a.k.a. "marjinz," a.k.a. "Victor Soltan," faces up to 15 years in prison -- and the evidence against him is extensive.
As described in court documents describing charges against another Blackshades employee, law enforcement has records of Yucel paying to lease computers, employee reviews he wrote, employee payment records, and chains of emails between him and an insider who turned FBI informant.
The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.
As for the malware itself (detected as WORM_SWISYN.SM), it is a very robust, very user-friendly RAT toolkit. As Symantec describes, "A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.
It can be used to log keystrokes, launch denial-of-service attacks, and download and run malware onto the affected system. It can spread via USB drives, social network accounts, or instant messages; it even automatically generates a draft of the message. It includes built-in marketplaces for buying bots and crypters.
Brian Wallace at Cyclance gives a good rundown of the malware's features, adding:
Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features.”
In addition to being a friendly one-stop-shop, the organization has provided professional service. Court documents state that Yucel had hired a marketing director, a website developer, and a team of customer service representatives. The malware was frequently updated. The organization had a detailed database of over 6,000 customer profiles.
It seemed that the people running BlackShades forgot that they were running an illegal operation. The $40 price tag for their product and services -- plus the fact that older versions of the software were available for free -- did not reflect the high risk of doing business. Although the low price helped make BlackShades popular, the malware wasn't terribly lucrative. Law enforcement estimates that the company made approximately $350,000 over the period from September 2011 to April 2014 -- that's only an average of $7,095 per month to split between all employees.
Although the US government arrested over 90 Blackshades employees and customers, seized more than 1,900 domain names used by Blackshades customers to control infected computers, and shut down the bshades.eu site used to sell the product, security experts say that the threat still exists.
Adam Kujawa, lead of the malware intelligence team at Malwarebytes, wrote today that after just a little searching he found and downloaded a freemium version of BlackShades -- not as up-to-date or feature-rich as the most recent version, but still dangerous. "So if you are wondering if an outdated version of Blackshades is even a threat," writes Kujawa, "the answer is absolutely."
On the plus side, says Kujawa, the BlackShades business was suffering a bit recently anyway. He writes:
Fortunately, the interest in Blackshades has decreased due to an array of different issues with the product. Customers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions discovered that opened a backdoor onto the attackers' system, essentially turning a bad guy into just another victim.
TrendMicro researchers say that another problem BlackShades brought upon itself was that, because of its very accessible, user-friendly nature, it appealed to amateur ne'er-do-wells, enabled "entry-level cybercrime," and left itself more exposed to risk. As TrendMicro Threat Response Engineer Rhena Inocencio wrote Monday:
The scale of the arrests -- rarely have so many cybercriminals been arrested in one go -- is entirely due to Blackshades' ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).
There were relatively few barriers to entry -- in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.
This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.
While the Blackshades' product and services were exemplary, Yucel's failings in finance and risk management might be his undoing.