05:40 PM
Connect Directly

AlienSpy A More Sophisticated Version Of The Same Old RATs

The AlienSpy remote access Trojan bears a resemblance to Frutas, Adwind, and Unrecom, say researchers at Fidelis.

In the cybercrime world, old RATs seldom die. They just get tweaked and reused over again. The latest example is AlienSpy, a remote access Trojan (RAT) that is being used in global phishing campaigns targeted at consumers and businesses in various countries.

The Trojan is a more sophisticated version of previous generation RATs like Frutas, Adwind, and Unrecom that have been used in criminal campaigns in recent years, security firm Fidelis Cybersecurity Solution said in an alert Wednesday. Among those being targeted are individuals and businesses in several industries including, the high-tech, financial services, government, and energy sectors.

Like most malware tools, AlienSpy is distributed via phishing emails with subject headers that are designed to fool recipients into opening them. Many of the emails purport to contain information related to financial transactions of some sort. Systems that are infected could end up having additional botnet and data-stealing malware loaded on them.

Fidelis researchers have observed AlienSpy being sold in the cyber underground via a subscription model, with prices starting at $9.90 for 15-day use to $219.90 for an annual subscription. The subscription provides users with access to the malware’s complete range of capabilities, including some newer techniques like sandbox detection, antivirus tool disablement, and Transport Layer Security (TLS) encryption-protected command-and-control capabilities.

AlienSpy is currently detected by only a limited set of antivirus products and incorporates features like multi-platform support. Fidelis described the capabilities of the malware tool as far beyond what used to typically be available with previous generation remote access malware tools.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its features,” Fidelis said, pointing to the malware’s ability to run on Windows, Linux, Mac OS and, most recently, Android platforms.

Besides its ability to infect systems on different operating system platforms, the new Trojan also takes advantage of evasion and obfuscation methods that were not present in previous RATs, Fidelis said.

In terms of its core functions, the RAT is similar in nature to its predecessors. AlienSpy gives attackers the ability to gain complete remote control of a compromised system. It can be used to collect a range of system-specific data, including operating system version, memory and RAM data, Java version number, and other details.

It allows attackers to then use the data to upload and execute additional malware tools, including those that can be used to take control of the compromised computer’s webcam and microphone, monitor user activity, access and steal files, capture passwords, and log keystrokes. The Trojan is being used to drop a variety of malware tools on compromised machines, including the Citadel banking Trojan.

What separates AlienSpy from previous generation RATs is its ability to detect and avoid sandboxes and its ability to detect and disable various antivirus and antimalware tools, according to Fidelis.

Michael Buratowski, vice president of cybersecurity services at General dynamics Fidelis Cybersecurity Division noted that AlienSpy disables upwards of 20 antivirus engines and multiple operating system features like User Access Control and Task manager. "These protection features were not present in previous generations of the family. This ensures that an infected system running one of these AV engines isn’t likely to be remediated," he said in emailed comments to Dark Reading.

Fidelis did not respond immediately to a request seeking information on how many people have been affected by the Trojan so far, the damage it might have caused, and how widespread the infections are.

“Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT,” Fidelis said. It has published a Yara rule, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise associated with malware attacks. 

The company is also encouraging businesses to inspect all emails containing executable attachments, particularly if the emails are for personnel in areas like finance, human relations, and the executive office. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 3:52:40 PM
Fidelis Threat Advisory #1015
I highly reccommend folks read Fidelis Threat Advisory #1015 (FTA_1015_Alienspy_FINAL.pdf).  It includes a great number of references including links to Kevin Breen's RAT Decoders/ and AlienSpy Yara rule.  Additionally, links can be found to Sean Wilson's AlienSpy Decoder.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.