A new report released by Citizens Lab presents circumstantial evidence suggesting that the Islamic State was behind a recent cyber hack targeting Syrian activists critical of the militant group.

The attack was designed to unmask the location of a Syrian citizen media group critical of ISIS, Raqqah is Being Slaughtered Silently (RSS), which works mainly to document human rights abuses committed by ISIS. Prior to ISIS taking over its hometown of Raqqah, the group was exposing injustices committed by the Assad regime.

Along with targeting the group in house raids, kidnappings and an alleged assassination, the University of Toronto's Citizen Lab says it now suspects ISIS of targeting the group with malware.

"Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible," the report said. "The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is focused against a group that is an active target of ISIS forces."

The targeted victim first receives an anti-ISIS email baiting them into downloading the infected files, which are masked as a "lengthy report on the realities of life in Raqqah," according to the email obtained by Citizen Lab.

"We are sharing some information with you with the hope that you will correct it in case of errors," the email continues.

The victim is encouraged to download pictures portraying an alleged ISIS stronghold and U.S. airstrike targets, and included is a link.

When the additional files are downloaded, malware files are installed onto the target's computer and sends out private information about the victim.

"The custom malware used in this attack infects a user who views the decoy 'slideshow,' and beacons home with the IP address of the victim's computer and details about his or her system each time the computer restarts," the report said.

The malware is unusual because it doesn't provide remote access to the victim's computer. Instead, it only sends an email containing the victim's IP address and miscellaneous system information, and relies on a half-dozen separate executable files, each with a single task, and each communicating via markers dropped in the Registry, said Citizen Lab.

"Unlike Syrian regime-linked malware, it contains no Remote Access Trojan (RAT) functionality, suggesting it is intended for identifying and locating a target," the researchers said, suggesting the malware was not tied to Assad.

@ 2024 HNGN, All rights reserved. Do not reproduce without permission.