The past three classes focused on methods of server encryption, most likely for the use of RATs, as the courses’ content suggests. Though the organization stated its allegiance to al-Qaeda, its contents are branded with the ISIS flag. The material’s publication online matches a series of attacks by ISIS affiliated hackers against US military targets.
The course is being published on one of the various online global Jihad forums, and offered in both video and text versions. So far, three parts of the course were published, all uploaded to the popular Youtube channel of one Yaha AlNemr. The course’s branding suggests that it is ISIS affiliated, as the organization’s flag is decorating its front page.
The first part of the course promises the potential students to teach them how to hack computers and emails. According to the course, this can be done by phishing methods, most commonly via infected files attached to emails. The course’s author recommends using NjRAT for hacking, though he does mention Bifrost and SpyNet. The author also offers hacking Emails using malicious socially engineered web-pages. The course offers hackers to use the Noip service, which allows to maintain the anonymity of permanent servers for malicious purposes.
The course’s second part shows how to open port 1177 for the use of NjRAT. The author mentions that the malware’s newer version uses port 5522. The third and latest part of the course explains how to encrypt servers in order to avoid detection by security software. Following are the listed products offering server encryption: Babel 7.6, Babel, Rpx 4.0, DeepSea and Smart Assembly 6.0.
The group’s affiliation remains unclear. Though it officially announces itself as al-Qaeda affiliated, its branding match ISIS’. In a post on an online Jihad community, the user named “Electronic Jihad” says it has certain ties with the Iraqi Ba’eth party, though the organization is politically unaffiliated and “is affiliated to the Muslims and the fighters.”
ISIS’ hacking abilities became a widely discussed subject last January as hackers claiming allegiance to the organization took over US military social media accounts. On January 12 the hackers took over the Twitter and Youtube accounts of the Pentagon’s central command. The hackers posted the tweet: “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS,” replacing the military logo with the title “Cyber Caliphate” over a black-and-white image of a kaffiyeh-wearing terrorist. The hackers also published a spreadsheet of office addresses and e-mails belonging to Defense Department workers in addition to an apparent internal list of the home addresses and e-mails of retired generals.
On March 2014, Symantec had published a report reviewing the rising use of NjRAT by Middle Eastern Cybercrime actors. It appears that the malware’s popularity in the region did not go unnoticed by this new global Jihad group, which emphasizes its use in its distributed materials.