Fidelis Threat Advisory #1015
Ratting on AlienSpy
This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT.
There is a long line of RATs that have received attention in the past few years and are known to be related in provenance and have been observed in related campaigns. These include njRAT, njWorm and Houdini RAT, all of which have been repeatedly deployed against victims in the consumer space as well as large enterprises. These RATs are recognized to have a robust feature set and much of the evolution that has been seen is in the nature of the delivery, rather than in core functionality.
AlienSpy is different in this regard. It is the latest in a well known lineage of RATs – Frutas, Adwind and Unrecom are all predecessors. We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.
- AlienSpy is a full-featured RAT currently used in multiple campaigns globally, targeting consumers and enterprises and currently detected by a limited set of antivirus products.
- Current versions of AlienSpy provide features like multiplatform support, including Android, VM evasion and TLS-encrypted communications that extend beyond other commodity RATs.
- AlienSpy is the latest in a family of RATs such as Adwind, Frutas and Unrecom, all of which have been observed in campaigns targeting large enterprises. These tools have rapidly evolved through continuous updates and are made available through various subscription models, which is innovative for this class of malware.
- Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT. To this end, we are publishing a Yara rule as well as a set of Indicators of Compromise (IOCs).
To see the full report and findings, visit the Fidelis Threat Advisory #1015