We come not to praise AlienSpy, we come to bury it
First, a quick update. Since our publication of the RATting on AlienSpy Fidelis Threat Advisory, the AlienSpy domain was suspended by GoDaddy who was the registrar for the domain. Obviously that means no one currently can buy an AlienSpy membership, but it also means existing AlienSpy members and builders are also unable to authenticate for a valid membership.
There are currently four major impacts this has.
- No new individuals can acquire the builder.
- The builder no longer operates – no new malware samples can be created.
- The control panel that manages victims no longer operates – all active infections are snuffed.
- The forums and ability to communicate with the authors is down.
This means all AlienSpy actors worldwide are currently out of commission though the victim systems continue to have the malware present and disabled services like AV will remain in that state until corrected. However, victim systems are no longer controlled by the attackers.
The reason why such an action was successful relies on the fact that AlienSpy was a subscription-driven service and it required some ability for the installed builder to authenticate that it belongs to a valid subscription. To do this, it requires the username and password that is created from the website to login to the builder. Additionally the builder finds a hardware ID that is stored on the website and used to ensure the builder is not used on multiple machines (and by extension, not on virtual machines either). Once the domain went offline, all such activity ceased.
However we recognize that AlienSpy is one of several evolutions by the same authors and they will undoubtedly be back. But for now, the King of RATs is dead. Long live the King.
-Fidelis Threat Research Team