Attacks/Breaches

4/8/2015
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

AlienSpy A More Sophisticated Version Of The Same Old RATs

The AlienSpy remote access Trojan bears a resemblance to Frutas, Adwind, and Unrecom, say researchers at Fidelis.

In the cybercrime world, old RATs seldom die. They just get tweaked and reused over again. The latest example is AlienSpy, a remote access Trojan (RAT) that is being used in global phishing campaigns targeted at consumers and businesses in various countries.

The Trojan is a more sophisticated version of previous generation RATs like Frutas, Adwind, and Unrecom that have been used in criminal campaigns in recent years, security firm Fidelis Cybersecurity Solution said in an alert Wednesday. Among those being targeted are individuals and businesses in several industries including, the high-tech, financial services, government, and energy sectors.

Like most malware tools, AlienSpy is distributed via phishing emails with subject headers that are designed to fool recipients into opening them. Many of the emails purport to contain information related to financial transactions of some sort. Systems that are infected could end up having additional botnet and data-stealing malware loaded on them.

Fidelis researchers have observed AlienSpy being sold in the cyber underground via a subscription model, with prices starting at $9.90 for 15-day use to $219.90 for an annual subscription. The subscription provides users with access to the malware’s complete range of capabilities, including some newer techniques like sandbox detection, antivirus tool disablement, and Transport Layer Security (TLS) encryption-protected command-and-control capabilities.

AlienSpy is currently detected by only a limited set of antivirus products and incorporates features like multi-platform support. Fidelis described the capabilities of the malware tool as far beyond what used to typically be available with previous generation remote access malware tools.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its features,” Fidelis said, pointing to the malware’s ability to run on Windows, Linux, Mac OS and, most recently, Android platforms.

Besides its ability to infect systems on different operating system platforms, the new Trojan also takes advantage of evasion and obfuscation methods that were not present in previous RATs, Fidelis said.

In terms of its core functions, the RAT is similar in nature to its predecessors. AlienSpy gives attackers the ability to gain complete remote control of a compromised system. It can be used to collect a range of system-specific data, including operating system version, memory and RAM data, Java version number, and other details.

It allows attackers to then use the data to upload and execute additional malware tools, including those that can be used to take control of the compromised computer’s webcam and microphone, monitor user activity, access and steal files, capture passwords, and log keystrokes. The Trojan is being used to drop a variety of malware tools on compromised machines, including the Citadel banking Trojan.

What separates AlienSpy from previous generation RATs is its ability to detect and avoid sandboxes and its ability to detect and disable various antivirus and antimalware tools, according to Fidelis.

Michael Buratowski, vice president of cybersecurity services at General dynamics Fidelis Cybersecurity Division noted that AlienSpy disables upwards of 20 antivirus engines and multiple operating system features like User Access Control and Task manager. "These protection features were not present in previous generations of the family. This ensures that an infected system running one of these AV engines isn’t likely to be remediated," he said in emailed comments to Dark Reading.

Fidelis did not respond immediately to a request seeking information on how many people have been affected by the Trojan so far, the damage it might have caused, and how widespread the infections are.

“Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT,” Fidelis said. It has published a Yara rule, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise associated with malware attacks. 

The company is also encouraging businesses to inspect all emails containing executable attachments, particularly if the emails are for personnel in areas like finance, human relations, and the executive office. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
4/24/2015 | 3:52:40 PM
Fidelis Threat Advisory #1015
I highly reccommend folks read Fidelis Threat Advisory #1015 (FTA_1015_Alienspy_FINAL.pdf).  It includes a great number of references including links to Kevin Breen's RAT Decoders/AlienSpy.py and AlienSpy Yara rule.  Additionally, links can be found to Sean Wilson's AlienSpy Decoder.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1715
PUBLISHED: 2018-08-16
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 14700...
CVE-2017-13106
PUBLISHED: 2018-08-15
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13107
PUBLISHED: 2018-08-15
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13108
PUBLISHED: 2018-08-15
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13100
PUBLISHED: 2018-08-15
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.