From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Pro-ISIS Jihadists Dabble in Encryption, Prove Under-Sophisticated

Pro-ISIS Jihadists Dabble in Encryption, Prove Under-Sophisticated


Jihadi actors have been experimenting with encrypted communication technologies since as early as 2008. Through the development of proprietary encrypted communication tools and the growing adoption of various cyber technologies, these actors have demonstrated an increased interest in obfuscating their digital fingerprints. This interest is underscored through discussions on top jihadi web forums, where members often converse about the pros, cons, and capabilities of different encryption tools. As more jihadists recognize the criticality of avoiding surveillance in today’s digital age, encrypted communication tools have become more popular than ever before. Many jihadists depend heavily on these tools because without them, the risk of surveillance and even jail time is high. For some jihadists, having access to encrypted communication tools can even be a matter of life or death.

Recently, Flashpoint analysts obtained an exclusive copy of a newly-developed jihadi encrypted-communication software. First released via a popular ISIS Deep Web forum, the software was developed by “Turgeman Khwarizmi,” a jihadi actor known for his previous work developing other proprietary digital tools.

Below, we’ve included an assessment of the software and what it reveals about the general capabilities of pro-ISIS cyber actors.

First, for static analysis of the binary, we can see that the file was created using the .NET framework. Once we open the file for analysis, we are presented with an installer screen in French.

Image 1: French install screen

Image 1: French install screen

Once the software installs, the encryption tool is installed to “C:\Program Files (x86)\Turgeman Khwarizmi\Infos Encrypter – By Turgeman Khwarizmi\.” Other tools written by the author are also installed to the “C:\Program Files (x86)\Turgeman Khwarizmi” directory.

Next, let’s look at the encryption tool:

Image 2: Screenshot of encryption tool

Image 2: Screenshot of encryption tool

By looking at the source code, we can piece together what each box is and does.

Image 3: Annotated Window

Image 3: Annotated Window

When we examine the decompiled source code, we gain some insight into the tool’s overall construction as well as Khwarizmi’s level of expertise.

Image 4: Button Click to do something

Image 4: Button Click to do something

Here, we can see that in order for the function to be completed, the user must click the button to perform an action. While Khwarizmi could be using some advanced level of encryption, first, let’s take a look at what happens when he generates the key. Here, we can see that his tool uses the built-in RSA encryption functions when “Button4” is pushed to create a key. Khwarizmi’s tool warns the user to use keys larger than 4096 bits.

Image 5: Key generation

Image 5: Key generation

While RSA is considered a strong algorithm, the biggest takeaway from analyzing this piece of software is that Khwarizmi is using built-in encryption algorithms in order to create a rather rudimentary program. This program is as sophisticated as pushing a button to do a function, which lines up with other software by Khwarizmi.

Our assessment of the software suggests that, at least in this case, this pro-ISIS cyber actor’s encryption capabilities are under-sophisticated, and his accomplishments are less than effective. This weak start does not mean, however, that these actors are not looking for more and better ways to communicate privately and expand their cyber knowledge. The evidence suggests otherwise, as online ISIS supporters are increasingly researching tools and techniques to hide their online footprint. For now, actors like Khwarizmi have a lot to learn and catch up on first.

Related Posts

About the author: Ronnie Tokazowski

Ronnie Tokazowski is a Senior Malware Analyst at Flashpoint who specializes in APT, crimeware, and cryptanalysis. When he’s not cooking, he’s reversing new strains of malware and breaking different malware protocols in order to understand how they work.

About the author: Laith Alkhouri

Laith Alkhouri

Laith Alkhouri is co-founder and Director of Advanced Solutions at Flashpoint. A native Arabic speaker and on-air terrorism analyst for NBC News, Mr. Alkhouri supports law enforcement on national security investigations, bringing expertise on Deep & Dark Web networks used by terrorist groups and their supporters. Over the past decade, Mr. Alkhouri has researched thousands of jihadist operations, analyzing terrorist activities with a focus on the use of technology and the Internet. He’s presented to the State Department, Department of Justice, Department of Defense, House of Representatives, Council on Foreign Relations, NYPD, and others. Mr. Alkhouri is frequently cited in global media and holds an MS in International Affairs and a BA in Political Science.

About the author: Vitali Kremez

Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as a Cybercrime Investigative Analyst for the New York County District Attorney's Office.

He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.