On March 29, 2017, the ISIS-affiliated media unit A’maq Media released a statement warning followers that the organization’s website had been hacked and was distributing a “virus file,” referring to a Trojan that visitors were prompted to download. The message from A’maq pled “please be careful.” Shortly thereafter, pro-ISIS jihadists echoed A’maq’s admonition and circulated a warning on Telegram:
The above message is taken from a trusted source. Be careful! Do not download anything from Amaq site… Do not enter the site as it has been hacked
Members on a top ISIS deep web forum further corroborated this claim. One such actor asserted that his system was infected after accessing the A’maq website. In response, members shared operational security tips, which included using Tor browser, forbidding scripts from running, employing Malwarebytes antivirus software, and avoiding loading Flash Player “from any location whatsoever.”
However, perhaps the most important safeguard against such attempts is the forum itself. After obtaining a copy of the malware for analysis, Flashpoint analysts found that the A’maq website was infected by a commonly-available Trojan, “NJRat,” disguised as an Adobe Flash Player installer. Analysis of the traffic between the malware and the command-and-control server (C2) suggests that the actor behind the malware sought to target A’maq and the site’s visitors specifically, rather than the site having been infected as part of an unrelated campaign. Evidence of this was found in a Base64 encoded string that contained the campaign name: “amaq_62032202.”1 This is far from the first targeted attempt against the ISIS community. Unknown actors have repeatedly produced and disseminated malicious copies of ISIS propaganda, which routinely resemble legitimate ISIS content, complete with accurate watermarks and other deceiving characteristics. For instance, in early March 2017, a fake issue of ISIS’s multi-language magazine Rumiyah circulated, prompting the following warning on multiple ISIS Telegram channels:
It is always advised to refer to [official or specifically accredited] sites for downloading official Islamic State material. Downloading from elsewhere is dangerous and such content may include fake or infected material…
While the ever-evolving cyber landscape — brimming with social media platforms and encrypted messaging apps — has empowered jihadists and perpetuated their violent propaganda, it also presents a unique danger to supporters and even researchers who aim to follow the groups and their releases. The digital life-cycle of jihadist content begins at official points of release, namely official deep web forums with rooms run by the respective groups’ media couriers, and ultimately filters out to surface web platforms like Twitter. It is after those original points of release, however, that the content can no longer be centrally controlled, and therefore becomes vulnerable to being weaponized against those who aim to view it. As such, although social media and encrypted apps like Telegram have made jihadist material more widely available, they by no means replace the deep web forums from which jihadists have traditionally communicated. In fact, these secondary platforms have proven deep web forums to be more important, serving as the only reliable way to authenticate material and better ensure the content is benign — though it should be noted that this is never guaranteed when viewing material from illicit actors like jihadists.
Essentially, as jihadist content multiplies with the emergence of new social media and encrypted platforms, so too does the risk of the media being compromised, and thus the continued and growing importance of the Deep & Dark Web as a safe haven on the internet for jihadists.
1. Malware analysis was conducted by Flashpoint Senior Analysts Ronnie Tokazowski and Ken Wolf.