Multi-platform AlienSpy RAT targeting consumers, enterprises

A new Java-based, multi-platform remote access trojan (RAT) is being used to target both consumers and enterprise users.

It’s called AlienSpy RAT and, according to researchers of security firm Fidelis, it is the latest in a well known lineage of RATs – Frutas, Adwind and Unrecom.

AlienSpy is capable of collecting system information, uploading and executing additional malware, surreptitiously capturing audio and video via the computer’s webcam and microphone, stealing passwords stored in browsers, keylogging and, of course, allows attackers to access the infected computer remotely.

AlienSpy supports infections on Windows, Linux, Mac, and Android devices, and is able to deactivate a number of AV and security tool, as well as to detect sandboxes. It uses TLS cryptographic protocols to protect its communication with its C&C server.

“AlienSpy is a Java-based RAT that provides a plugin framework with a total of around twelve plugins for different operating system platforms. This modular plugin framework makes it easy for the attackers to upgrade the RAT with plugin that provides additional features,” the researchers noted.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs.”

The malware is currently sold on underground forums for a price that ranges from $19.90 to $219.90, depending on a membership package that ranges from Basic to Ultimate.

The RAT is delivered via unsolicited emails ostensibly sent by individuals and company employees notifying the recipients about payment and Swift details, order details, remittance errors, etc. The malware is in the attachment, which is usually an archive file (.zip or .jar).

“We’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors,” researchers warn.

“Once the attacker gains control, he could try to propagate to other systems in the network, spread more advanced malware, etc. The attackers could also rent their infected system to other cybercriminals including advanced threat actors looking to gain access to systems of high interest.”

In order to help businesses fight this threat, they provided a Yara rule that can be used to detect variants, as well as policy recommendations that can mitigate this danger.