05:40 PM
Connect Directly

AlienSpy A More Sophisticated Version Of The Same Old RATs

The AlienSpy remote access Trojan bears a resemblance to Frutas, Adwind, and Unrecom, say researchers at Fidelis.

In the cybercrime world, old RATs seldom die. They just get tweaked and reused over again. The latest example is AlienSpy, a remote access Trojan (RAT) that is being used in global phishing campaigns targeted at consumers and businesses in various countries.

The Trojan is a more sophisticated version of previous generation RATs like Frutas, Adwind, and Unrecom that have been used in criminal campaigns in recent years, security firm Fidelis Cybersecurity Solution said in an alert Wednesday. Among those being targeted are individuals and businesses in several industries including, the high-tech, financial services, government, and energy sectors.

Like most malware tools, AlienSpy is distributed via phishing emails with subject headers that are designed to fool recipients into opening them. Many of the emails purport to contain information related to financial transactions of some sort. Systems that are infected could end up having additional botnet and data-stealing malware loaded on them.

Fidelis researchers have observed AlienSpy being sold in the cyber underground via a subscription model, with prices starting at $9.90 for 15-day use to $219.90 for an annual subscription. The subscription provides users with access to the malware’s complete range of capabilities, including some newer techniques like sandbox detection, antivirus tool disablement, and Transport Layer Security (TLS) encryption-protected command-and-control capabilities.

AlienSpy is currently detected by only a limited set of antivirus products and incorporates features like multi-platform support. Fidelis described the capabilities of the malware tool as far beyond what used to typically be available with previous generation remote access malware tools.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its features,” Fidelis said, pointing to the malware’s ability to run on Windows, Linux, Mac OS and, most recently, Android platforms.

Besides its ability to infect systems on different operating system platforms, the new Trojan also takes advantage of evasion and obfuscation methods that were not present in previous RATs, Fidelis said.

In terms of its core functions, the RAT is similar in nature to its predecessors. AlienSpy gives attackers the ability to gain complete remote control of a compromised system. It can be used to collect a range of system-specific data, including operating system version, memory and RAM data, Java version number, and other details.

It allows attackers to then use the data to upload and execute additional malware tools, including those that can be used to take control of the compromised computer’s webcam and microphone, monitor user activity, access and steal files, capture passwords, and log keystrokes. The Trojan is being used to drop a variety of malware tools on compromised machines, including the Citadel banking Trojan.

What separates AlienSpy from previous generation RATs is its ability to detect and avoid sandboxes and its ability to detect and disable various antivirus and antimalware tools, according to Fidelis.

Michael Buratowski, vice president of cybersecurity services at General dynamics Fidelis Cybersecurity Division noted that AlienSpy disables upwards of 20 antivirus engines and multiple operating system features like User Access Control and Task manager. "These protection features were not present in previous generations of the family. This ensures that an infected system running one of these AV engines isn’t likely to be remediated," he said in emailed comments to Dark Reading.

Fidelis did not respond immediately to a request seeking information on how many people have been affected by the Trojan so far, the damage it might have caused, and how widespread the infections are.

“Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT,” Fidelis said. It has published a Yara rule, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise associated with malware attacks. 

The company is also encouraging businesses to inspect all emails containing executable attachments, particularly if the emails are for personnel in areas like finance, human relations, and the executive office. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 3:52:40 PM
Fidelis Threat Advisory #1015
I highly reccommend folks read Fidelis Threat Advisory #1015 (FTA_1015_Alienspy_FINAL.pdf).  It includes a great number of references including links to Kevin Breen's RAT Decoders/ and AlienSpy Yara rule.  Additionally, links can be found to Sean Wilson's AlienSpy Decoder.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.