14 DAY TRIAL // A remote access Trojan (RAT) called AlienSpy is currently being distributed via phishing campaigns to individual users as well as organizations from different sectors of activity, including telecommunication and government.
Classified as a tool for remote management of computers, AlienSpy is sold openly on the web and it has evolved from previous products (Frutas, Adwind and Unrecom), whose use for nefarious purposes has been observed by security researchers.
Cross-platform, poor antivirus detection
According to Fidelis Security, a company that offers solutions against advanced threats, the RAT enjoys limited antivirus detection. Furthermore, its developer passes it as legitimate software, and clearly states this in the FAQ section of the website.
AlienSpy works on all major desktop platforms (Windows, Mac and Linux) and also has support for the Android mobile operating system, which only makes it more appealing to cybercriminals.
However, despite its legitimate appearance, the RAT has been seen to pass along a dropper for the infamous Citadel malware.
At the moment, Fidelis Security monitors several AlienSpy samples that have been released across the globe against entities related to technology, financial services, government and the energy sector.
Capabilities are fit for malicious activity
Among the features available in AlienSpy, there is data gathering (IP, OS version, RAM info, computer name), uploading and executing files, video and audio captures, remote desktop management, stealing browser-stored passwords, and keylogging.
The researchers found that the latest version of the RAT also includes analysis evasion capabilities, such as sandbox detection, terminating activity of numerous antivirus and security tools, and encrypted communication with the command and control (C&C) server.
“The Adwind and AlienSpy threat activity observed in the past weeks against various targets in our customer base is of great concern to us as it is being carried through phishing emails with remote access tools that provide the threat actors with full control over the victim systems,” reads a Wednesday report from Fidelis Security on AlienSpy’s capabilities.
“Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections,” the report continues.
AlienSpy could be used to start an illegal business
Victims are lured with messages claiming to carry discounts for different products or financial documents (remittance, invoices, orders) on matters that need to be addressed urgently.
The security company says that AlienSpy represents an extremely high risk because it can also be used to deploy separate malicious operations by creating a botnet and renting it to other cybercriminals.
AlienSpy membership packages are sold for between $20 and $220 (€18.5 - €203), depending on the number of modules the buyer wants.
