Researchers have conducted a detailed analysis of AlienSpy, a Java-based remote access Trojan (RAT) that has been used by malicious actors to target regular Internet users and enterprises worldwide.
According to General Dynamics Fidelis Cybersecurity Solutions, AlienSpy is the successor of well-known RATs such as Frutas, Adwind and Unrecom. These predecessors are still being used in attacks, particularly Adwind, but researchers have noticed a wave of AlienSpy samples targeted at consumers and organizations in sectors such as energy, government, financial services, and technology.
AlienSpy, which is advertised on the alienspy(dot)net website as “the best software for take (sic) remote control of your devices,” supports multiple platforms, including Windows, Linux, Mac and Android. The tool is not promoted as a piece of malware, but the antivirus disabling features and the fact that customers can test their builds to see if they are detected by security products provide some clues to AlienSpy’s true nature.
The RAT, sold for between $20 and $220 depending on the package, uses a dozen plugins to accomplish various tasks. Because it uses a modular plugin framework, AlienSpy can be easily upgraded with new capabilities, Fidelis noted in its report.
Similar to other RATs, the threat can collect information on the infected system, download and execute other malware, capture data from the device’s webcam and microphone, initiate a remote desktop session to monitor the victim’s activities, access files on the system, log keystrokes, and steal web browser passwords.
In addition to these standard features, AlienSpy can detect the presence of sandboxes, and detect and disable antivirus and security tools. Another noteworthy aspect is the use of the Transport Layer Security (TLS) protocol for command and control (C&C) server communications.
The samples analyzed by Fidelis researchers have been distributed through phishing campaigns involving emails that appear to be related to payments and orders. On one of the infected machines, experts noticed that AlienSpy downloaded the Citadel banking Trojan.
Experts have found several clues linking AlienSpy to Unrecom and its other predecessors, including code reuse and similar configuration files.
“Since November 2013, Adwind RAT has been known to be sold under the Unrecom RAT name. Adwind RAT is known to have evolved from Frutas RAT. Frutas RAT has been used in phishing emails against high-profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government,” Fidelis explained in its report.
The complete report on AlienSpy, which includes a Yara rule and indicators of compromise (IoC), is available online.