Jihadi actors have been experimenting with encrypted communication technologies since as early as 2008. Through the development of proprietary encrypted communication tools and the growing adoption of various cyber technologies, these actors have demonstrated an increased interest in obfuscating their digital fingerprints. This interest is underscored through discussions on top jihadi web forums, where members often converse about the pros, cons, and capabilities of different encryption tools. As more jihadists recognize the criticality of avoiding surveillance in today’s digital age, encrypted communication tools have become more popular than ever before. Many jihadists depend heavily on these tools because without them, the risk of surveillance and even jail time is high. For some jihadists, having access to encrypted communication tools can even be a matter of life or death.
Recently, Flashpoint analysts obtained an exclusive copy of a newly-developed jihadi encrypted-communication software. First released via a popular ISIS Deep Web forum, the software was developed by “Turgeman Khwarizmi,” a jihadi actor known for his previous work developing other proprietary digital tools.
Below, we’ve included an assessment of the software and what it reveals about the general capabilities of pro-ISIS cyber actors.
First, for static analysis of the binary, we can see that the file was created using the .NET framework. Once we open the file for analysis, we are presented with an installer screen in French.
Image 1: French install screen
Once the software installs, the encryption tool is installed to “C:\Program Files (x86)\Turgeman Khwarizmi\Infos Encrypter – By Turgeman Khwarizmi\.” Other tools written by the author are also installed to the “C:\Program Files (x86)\Turgeman Khwarizmi” directory.
Next, let’s look at the encryption tool:
Image 2: Screenshot of encryption tool
By looking at the source code, we can piece together what each box is and does.
Image 3: Annotated Window
When we examine the decompiled source code, we gain some insight into the tool’s overall construction as well as Khwarizmi’s level of expertise.
Image 4: Button Click to do something
Here, we can see that in order for the function to be completed, the user must click the button to perform an action. While Khwarizmi could be using some advanced level of encryption, first, let’s take a look at what happens when he generates the key. Here, we can see that his tool uses the built-in RSA encryption functions when “Button4” is pushed to create a key. Khwarizmi’s tool warns the user to use keys larger than 4096 bits.
Image 5: Key generation
While RSA is considered a strong algorithm, the biggest takeaway from analyzing this piece of software is that Khwarizmi is using built-in encryption algorithms in order to create a rather rudimentary program. This program is as sophisticated as pushing a button to do a function, which lines up with other software by Khwarizmi.
Our assessment of the software suggests that, at least in this case, this pro-ISIS cyber actor’s encryption capabilities are under-sophisticated, and his accomplishments are less than effective. This weak start does not mean, however, that these actors are not looking for more and better ways to communicate privately and expand their cyber knowledge. The evidence suggests otherwise, as online ISIS supporters are increasingly researching tools and techniques to hide their online footprint. For now, actors like Khwarizmi have a lot to learn and catch up on first.