AlienSpy: A more sophisticated Trojan targets consumers and enterprises
Works on all major desktop platforms; Deactivates Virus Guards; Detects Sandboxes
A new Java-based, multi-platform Remote Access Trojan (RAT) is being distributed via phishing campaigns to individual users as well as to large organizations.
According to Fidelis Security, a company that offers solutions against advanced security threats, AlienSpy is the latest in the series of RATs – Frutas, Adwind and Unrecom. It works on major desktop platforms like Windows, Linux, Mac OS and also on Android mobile operating system.
AlienSpy is sold openly on the web as legitimate software, classifying as a tool for remote management of computers as well as in the cyber underground via a subscription model. Membership packages are sold for between $20 and $220 (€18.5 – €203), depending on the number of modules the buyer wants. It uses a modular plug-in framework and can be easily upgraded with new capabilities.
Similar to other RATs, AlienSpy can collect system information from the infected system, download and execute other malware, capture audio and video from the device’s webcam and microphone, initiate a remote desktop session to monitor the infected computer’s activities remotely, access files on the system, log keystrokes and steal passwords stored in web browsers.
In addition to these standard features, the researchers found that AlienSpy includes new features which were not included in the previous generations of RATs. The new version has analysis evasion capabilities, such as detect the presence of sandboxes, detect and deactivate antivirus and security tools, encrypted communication with its command and control (C&C) server using Transport Layer Security (TLS) cryptographic protocols, disable multiple operating system features like User Access Control and Task manager. According to Fidelis, this version of AlienSpy even can change various registry keys in the system, in order to prevent various security tools from running.
Fidelis stated that the victims of AlineSpy are in extremely high risk of having other more advanced malware be downloaded to the computer system. Once the attackers get the control of the system, they are capable of propagating to other systems in the network as well as rent their infected system to other cybercriminals.
In order to avoid this malicious attacks Fidelis advise to filter all emails, specially that contains executable attachments. It has published a “Yara rule”, which basically offers enterprises a way to detect and block specific incoming threats by looking for the so-called indicators of compromise (IoC) associated with malware attacks.