Blue Coat Labs

Labs Blog

Miscreants say "Je suis Charlie" too

Miscreants say "Je suis Charlie" too

Ashwin K. Vamshi

It is very common for malicious actors to attempt to exploit trending news in order to lure users to execute malicious programs. As a regular practice we keep track of such instances. In the most recent case I happened to come across an interesting malware (md5 hash 3c5266cab10c78f3a49985806c217a40) with the theme "Je suis Charlie", a slogan that has gone viral after the 7 January 2015 massacre at the Charlie Hebdo offices in Paris. This malware was found in our stream of incoming material so we don't yet know how it has been distributed. It is likely, given the subject, that it has been attempted spread using some kind of social engineering trick.

The malware in question is the infamous DarkComet RAT (aka Fynloski), a freely available remote administration tool which also can double as a powerful backdoor trojan. DarkComet was originally developed by the French hacker DarkCoderSc, who stopped further development on the project in 2012. Nevertheless, its ease of use and rich set of features have kept it popular by all sorts of attackers – from script kiddies and activists to more sinister players.

The variant used in the present attack is obfuscated to make it less noticed by AV scanners. The DarkComet Delphi code is enveloped in a .NET wrapper, making the telltale signs of DarkComet hard to spot. Indeed, the AV detection rate of this executable is at the time of writing poor – only 2/53 scanners had detection on the VirusTotal online scanner service.


Nevertheless, the Blue Coat Malware Analysis appliance reveals that it is up to no good:



As you can see above the sample drops a copy of itself with the name svchost.exe and launches an image of a new-born baby with a band carrying the name “Je suis Charlie”. This image appears to have been harvested from public sources.


The sample also displays a message in French to mislead the user to believe that the binary is created a previous version of MovieMaker:


The Command and Control host is a subdomain under the no-ip dynamic DNS domain. This is a well known legitimate dynamic DNS service which is however often used by malicious actors.

The actual domain address is:[.]org

This address currently resolves to an IP address located with the French service provider Orange. The French IP address and the error message in French reinforces the impression that this malware was targeted at French users, though we have no indication as to who the attackers are or what they are after.
We have anyhow informed the French authorities about this malware.

We will continue to monitor activities in this space and keep you posted. For now, just be alert that items of great media interest like this may contain malware. There really is nothing so sacred that bad people won’t try to exploit it.