Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

AlienSpy A More Sophisticated Version Of The Same Old RATs

The AlienSpy remote access Trojan bears a resemblance to Frutas, Adwind, and Unrecom, say researchers at Fidelis.

In the cybercrime world, old RATs seldom die. They just get tweaked and reused over again. The latest example is AlienSpy, a remote access Trojan (RAT) that is being used in global phishing campaigns targeted at consumers and businesses in various countries.

The Trojan is a more sophisticated version of previous generation RATs like Frutas, Adwind, and Unrecom that have been used in criminal campaigns in recent years, security firm Fidelis Cybersecurity Solution said in an alert Wednesday. Among those being targeted are individuals and businesses in several industries including, the high-tech, financial services, government, and energy sectors.

Like most malware tools, AlienSpy is distributed via phishing emails with subject headers that are designed to fool recipients into opening them. Many of the emails purport to contain information related to financial transactions of some sort. Systems that are infected could end up having additional botnet and data-stealing malware loaded on them.

Fidelis researchers have observed AlienSpy being sold in the cyber underground via a subscription model, with prices starting at $9.90 for 15-day use to $219.90 for an annual subscription. The subscription provides users with access to the malware’s complete range of capabilities, including some newer techniques like sandbox detection, antivirus tool disablement, and Transport Layer Security (TLS) encryption-protected command-and-control capabilities.

AlienSpy is currently detected by only a limited set of antivirus products and incorporates features like multi-platform support. Fidelis described the capabilities of the malware tool as far beyond what used to typically be available with previous generation remote access malware tools.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its features,” Fidelis said, pointing to the malware’s ability to run on Windows, Linux, Mac OS and, most recently, Android platforms.

Besides its ability to infect systems on different operating system platforms, the new Trojan also takes advantage of evasion and obfuscation methods that were not present in previous RATs, Fidelis said.

In terms of its core functions, the RAT is similar in nature to its predecessors. AlienSpy gives attackers the ability to gain complete remote control of a compromised system. It can be used to collect a range of system-specific data, including operating system version, memory and RAM data, Java version number, and other details.

It allows attackers to then use the data to upload and execute additional malware tools, including those that can be used to take control of the compromised computer’s webcam and microphone, monitor user activity, access and steal files, capture passwords, and log keystrokes. The Trojan is being used to drop a variety of malware tools on compromised machines, including the Citadel banking Trojan.

What separates AlienSpy from previous generation RATs is its ability to detect and avoid sandboxes and its ability to detect and disable various antivirus and antimalware tools, according to Fidelis.

Michael Buratowski, vice president of cybersecurity services at General dynamics Fidelis Cybersecurity Division noted that AlienSpy disables upwards of 20 antivirus engines and multiple operating system features like User Access Control and Task manager. "These protection features were not present in previous generations of the family. This ensures that an infected system running one of these AV engines isn’t likely to be remediated," he said in emailed comments to Dark Reading.

Fidelis did not respond immediately to a request seeking information on how many people have been affected by the Trojan so far, the damage it might have caused, and how widespread the infections are.

“Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT,” Fidelis said. It has published a Yara rule, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise associated with malware attacks. 

The company is also encouraging businesses to inspect all emails containing executable attachments, particularly if the emails are for personnel in areas like finance, human relations, and the executive office. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 3:52:40 PM
Fidelis Threat Advisory #1015
I highly reccommend folks read Fidelis Threat Advisory #1015 (FTA_1015_Alienspy_FINAL.pdf).  It includes a great number of references including links to Kevin Breen's RAT Decoders/AlienSpy.py and AlienSpy Yara rule.  Additionally, links can be found to Sean Wilson's AlienSpy Decoder.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.