This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT.
There is a long line of RATs that have received attention in the past few years and are known to be related in provenance and have been observed in related campaigns. These include njRAT, njWorm and Houdini RAT, all of which have been repeatedly deployed against victims in the consumer space as well as large enterprises. These RATs are recognized to have a robust feature set and much of the evolution that has been seen is in the nature of the delivery, rather than in core functionality.
AlienSpy is different in this regard. It is the latest in a well known lineage of RATs – Frutas, Adwind and Unrecom are all predecessors. We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.
AlienSpy is a full-featured RAT currently used in multiple campaigns globally, targeting consumers and enterprises and currently detected by a limited set of antivirus products.
Current versions of AlienSpy provide features like multiplatform support, including Android, VM evasion and TLS-encrypted communications that extend beyond other commodity RATs.
AlienSpy is the latest in a family of RATs such as Adwind, Frutas and Unrecom, all of which have been observed in campaigns targeting large enterprises. These tools have rapidly evolved through continuous updates and are made available through various subscription models, which is innovative for this class of malware.
Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT. To this end, we are publishing a Yara rule as well as a set of Indicators of Compromise (IOCs).
Last week, a US District Court initially approved a $10M settlement in a class action suit against Target for the Christmas 2013 hack that compromised millions of credit cards and the personal privacy information of 60 million customers. The impact of this settlement will be felt far beyond the $10M in damages provided by the settlement. In fact, the dollar value of the settlement pales in comparison to the incident response costs and fines assessed by the credit card issuers and government regulatory organizations (FTC, state attorney generals, etc.). Target had also taken action to comply with some of the requirements of the class action months ago when they established a CISO position and filled it last June.
One of the provisions of the settlement is extremely unusual and possibly unprecedented: allowing for payment of damages without documentation. Most settlements like this require individuals to provide proof of their losses. In this case, damages of up to $10,000 will first be paid to individuals who provide proof but then, the rest of the settlement funds will be divided among consumers who claim they suffered a loss, even if they don't have documentation.
An attorney for Target customers, Vincent Esades, said after the hearing that the settlement could end up costing Target substantially more than the $10M direct cap on settlements to the claimants. The total cost including attorneys’ fees and administrative costs could likely reach $25M.
As you may have heard, this year RSA Conference has launched a crowdsourced speaking track, in short RSA has opened a number of speaking abstract up for a vote and the top 25 will have a shot at being included at the conference. Voting will be open until April 2 with the RSA program committee narrowing down the final 12 winners by April 9.
I’m honored, that my proposed session, “How-To: Aggressive Remediation in an APT World” is included in the voting pool and wanted to give our readers a preview of what my session would entail. Don’t worry, if you’re too busy to read the blog but trust that it’s a good session you can skip ahead and vote here.
The breaches we investigate reveal that APT hackers are often embedded for months or years before discovery and remediation is not as simple as ending the attack and fixing vulnerabilities. In order to address these advanced attacks, security staff needs to take an aggressive stance during incident response and focus not only containment but eradication of the threat.
When you break it down, any incident response program has three equally important parts:
Mandarin Oriental Hotel Group has confirmed its hotels have been affected by a credit card breach. According to a Mandarin Oriental statement, the “credit card systems in an isolated number” of hotels in the US and Europe were breached. Banking industry sources told Brian Krebs that most if not all Mandarin hotels in the US were impacted including locations in Boston, Florida, Las Vegas, Miami, New York and Washington, D.C. The breach reportedly began in December 2014.
A vulnerability known as FREAK, or “Factoring attack on RSA-EXPORT Keys” has been found to affect SSL and TLS technology. The flaw allows a man-in-the-middle attack to downgrade encryption to a weaker 512-bit key instead of today’s standard 2048-bit keys. Vulnerable devices include Android, iOS and OS X operating systems. Most Windows and Linux devices are not vulnerable.
Domain Shadowing attacks are targeting Adobe Flash and Microsoft Silverlight. The attackers use phishing emails to steal domain registrar account credentials and set-up tens of thousands of short-lived sub-domains that redirect victims to sub-tier landing pages hosting the Angler exploit kit.
Uber announced on February 27 that one of its databases was breached, putting up to 50,000 former and current Uber drivers’ personal information at risk. The database contained the names and driver’s license numbers of Uber drivers across multiple states. The breach was first discovered on September 17, 2014 but was believed to be a onetime incident that took place on May 13, 2014.
D-Link is releasing firmware updates for a numbers of its routers to identify vulnerabilities that can be exploited to load malicious code, permit command injection and disclose information about device configuration to attackers. The affected products are DIR-626L, DIR-636L, DIR808L, DIR810L, DIR-820L, DIR-826L, DIR-830L and DIR-836L.
We are often asked what a typical breach response looks like and the answer is that no two incidents are the same. But here’s one example from a breach we responded to recently. It started after we were contacted by a company in the critical infrastructure sector. The company had noticed some suspicious activity on their network, multiple servers were running unexpected services, there was unusual VPN activity, and they had found suspicious executables. The company knew there was an issue and asked our NDF team to investigate how the breach occurred, determine what if anything had been taken, and to defend against future attacks.
For a little background, the company we were working with has more than 1,600 servers and approximately 6,000 user devices around the world. With that many potential breach points, our first priority was to increase network visibility and perform forensic analysis to determine if intruders were still active within the network.
With that goal in mind we went to work. As is the case with any breach response we first had to put together a plan of attack and in this case our response would include conducting interviews, imaging suspect systems for forensic analysis, reverse engineering suspicious files, and establishing a provisional Security Operations Center manned by our team as the company began to build their own in-house SOC.
Two lawsuits were filed in Denver District Court against Anthem Inc. after a massive data breach exposed private information on more than 80 million of the insurance company’s past and present customers and employees. In both suits, plaintiffs echo the anger and argument of previous lawsuits claiming that Anthem broke faith by failing to protect their information.
A piece of malware installed on the systems of casual gaming company, Big Fish Games has been used to steal customer payment information. The malware was installed on the billing and payment pages of the company’s website and it appears to have intercepted customer data such as names, addresses, payment card numbers, expiration dates, and CVV2 codes. According to Big Fish Games, customers who entered new payment information between December 24, 2014 and January 8, 2015 may be been affected. There is no indication that this issue impacted customers who purchased games for iOS and Android devices or through Facebook.
Several wireless routers made by Netgear contain a vulnerability that allows unauthenticated attackers to extract sensitive information from the devices, including their administrator passwords and wireless network keys. The vulnerability can be exploited over local area networks, as well as over the Internet if the devices are configured for remote administration and expose their Web interface externally.
Researchers and a variety of international law enforcement agencies uncovered a two-year criminal operation which stole $1 billion from banks worldwide. The cybergang struck banks, e-payment systems and financial institutions in 30 countries using the Carbanak malware. The criminal gang was able to transfer cash fraudulently and compromise ATMs.
Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web session and may make users vulnerable to HTTPS man-in-the-middle attacks. The threat is present on Lenovo PCs that have adware from a company called Superfish installed. Attackers can use the private encryption key accompanying the Superfish-signed Transport Layer Security certificate to certify imposter HTTPS websites.
Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using#CyberScoop!