In the cybercrime world, old RATs seldom die. They just get tweaked and reused over again. The latest example is AlienSpy, a remote access Trojan (RAT) that is being used in global phishing campaigns targeted at consumers and businesses in various countries.
The Trojan is a more sophisticated version of previous generation RATs like Frutas, Adwind, and Unrecom that have been used in criminal campaigns in recent years, security firm Fidelis Cybersecurity Solution said in an alert Wednesday. Among those being targeted are individuals and businesses in several industries including, the high-tech, financial services, government, and energy sectors.
Like most malware tools, AlienSpy is distributed via phishing emails with subject headers that are designed to fool recipients into opening them. Many of the emails purport to contain information related to financial transactions of some sort. Systems that are infected could end up having additional botnet and data-stealing malware loaded on them.
Fidelis researchers have observed AlienSpy being sold in the cyber underground via a subscription model, with prices starting at $9.90 for 15-day use to $219.90 for an annual subscription. The subscription provides users with access to the malware’s complete range of capabilities, including some newer techniques like sandbox detection, antivirus tool disablement, and Transport Layer Security (TLS) encryption-protected command-and-control capabilities.
AlienSpy is currently detected by only a limited set of antivirus products and incorporates features like multi-platform support. Fidelis described the capabilities of the malware tool as far beyond what used to typically be available with previous generation remote access malware tools.
“We believe that it benefits from unified development and support that has resulted in rapid evolution of its features,” Fidelis said, pointing to the malware’s ability to run on Windows, Linux, Mac OS and, most recently, Android platforms.
Besides its ability to infect systems on different operating system platforms, the new Trojan also takes advantage of evasion and obfuscation methods that were not present in previous RATs, Fidelis said.
In terms of its core functions, the RAT is similar in nature to its predecessors. AlienSpy gives attackers the ability to gain complete remote control of a compromised system. It can be used to collect a range of system-specific data, including operating system version, memory and RAM data, Java version number, and other details.
It allows attackers to then use the data to upload and execute additional malware tools, including those that can be used to take control of the compromised computer’s webcam and microphone, monitor user activity, access and steal files, capture passwords, and log keystrokes. The Trojan is being used to drop a variety of malware tools on compromised machines, including the Citadel banking Trojan.
What separates AlienSpy from previous generation RATs is its ability to detect and avoid sandboxes and its ability to detect and disable various antivirus and antimalware tools, according to Fidelis.
Michael Buratowski, vice president of cybersecurity services at General dynamics Fidelis Cybersecurity Division noted that AlienSpy disables upwards of 20 antivirus engines and multiple operating system features like User Access Control and Task manager. "These protection features were not present in previous generations of the family. This ensures that an infected system running one of these AV engines isn’t likely to be remediated," he said in emailed comments to Dark Reading.
Fidelis did not respond immediately to a request seeking information on how many people have been affected by the Trojan so far, the damage it might have caused, and how widespread the infections are.
“Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT,” Fidelis said. It has published a Yara rule, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise associated with malware attacks.
The company is also encouraging businesses to inspect all emails containing executable attachments, particularly if the emails are for personnel in areas like finance, human relations, and the executive office.