A lot of people want to hack the Islamic State. Whether it's hackers publicly releasing terrorist supporters' messages, or the US military using cyberweapons on the battlefield, the Islamic State is a pretty obvious target.
On Wednesday, the Islamic State's Amaq media channel claimed its website had been hacked, and warned visitors about malware being distributed on the site.
"Warning! Amaq's website has been penetrated and requests downloading a virus file disguised as a Flash installer. Please exercise caution," a translation of the announcement from Amaq, and posted to Twitter by independent researcher Raphael Gluck, reads.
Amaq's website is used by the Islamic State to spread propaganda and "official" announcements and videos.
The hackers, whoever they may be, seemingly took over the Amaq website and attempted to deliver malware in a wide fashion: anyone visiting the website would have met a prompt for a fake Flash update, Gluck told Motherboard in a Twitter direct message.
Gluck provided Motherboard with a sample of the file allegedly distributed on Amaq. Simply named "FlashPlayer_x86.exe," the file is marked as malicious by a wide range of anti-virus products, according to online analysis tool Virus Total. Many of the security programs describe the file as a generic trojan or backdoor for Windows platforms.
Willis McDonald, threat researcher at Core Security, told Motherboard in an email that the file was a dropper—a piece of software that installs malware—for Bladabindi, otherwise known as NJRat. According to a Microsoft post on Bladabindi, the malware can siphon sensitive information, and open up the machine to more attacks.
"This remote-access-tool (RAT) has the capability to steal credentials, take screenshots, take pictures or video through the webcam, log keystrokes and transfer files. This tool has been around since at least 2013 and is very common due to a leaked builder and server freely available on low-level criminal forums that allows the attacker to create their own customized RAT," McDonald said.
Given the rather generic nature of the malware, it is not immediately clear, without further analysis, who may have distributed it.
"Given its common use in Middle Eastern cyber crime, it could be that this was nothing more than a common cyber crime campaign rather than a campaign specifically targeted at ISIS," McDonald added.
Hackers may have indirectly delivered the malware to other targets too. The independent researcher known as Switched showed Motherboard a shortened Bitly link, which sent users to the infected Amaq site. When clicked, a warning page from Bitly says the service may have "detected potentially malicious content."
Several now-banned Arabic language Twitter accounts posted that Bitly link under 24 hours ago, and the link is still available on two other websites. (Whoever is in control of the email account linked to the domain's WHOIS records did not respond to a request for comment.)
According to Bitly's own analytic tools, the link has been clicked over 600 times since Wednesday.
Hackers have used extremist forums to deliver malware before. During the Iraq War, NSA analysts infiltrated Al-Qaeda's network of websites and planted malware in their forums, according to a section of Shane Harris' 2014 book, @war.
Amaq has since moved onto another domain, and when accessed by Motherboard the site did not appear to trigger any download of the fake Flash Player. But it would be safe to bet that the hackers will be back.
Update: This piece has been updated to include additional comment from McDonald.