Experts with FireEye have identified two phishing campaigns involving a remote administration tool.
Experts with FireEye have identified two phishing campaigns involving a remote administration tool.

Researchers with FireEye have identified two phishing campaigns involving a remote administration tool (RAT) known as WinSpy, according to recent research, which adds that the $30 malware also comes packaged with an Android component known as GimmeRAT.

The first campaign involves spear phishing emails targeting a U.S. financial institution, Nart Villeneuve, senior threat intelligence researcher at FireEye, told SCMagazine.com in a Tuesday email correspondence. FireEye did not name the targeted financial institution.

“We believe that the second campaign is being propagated indiscriminately via spam,” Villeneuve said.

In a FireEye blog post, Thoufique Haq, a FireEye security researcher, explained how the spear phishing campaign involves an attachment that, when opened, appears as a pay slip, but it is actually just misdirection to launch the WinSpy malware.

The second campaign involves macro documents – claiming to be from Western Union, or related to other financial matters – included as attachments or links in emails.

“The use of Western Union and similar names in a spam attachment is quite a common theme, but not indicative of Western Union being targeted,” Villeneuve said.

When infected with WinSpy, an attacker can take screenshots, log keystrokes and retrieve various system reports, as well as download and upload files and execute payloads, according to the blog post, which adds that the command-and-control is owned and controlled by the WinSpy author.

“This does not necessarily mean the author is behind attack as the author provides the use of his server for command-and-control as well as to store the victim data as the default option in the WinSpy package,” Haq wrote. “This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker.”

The GimmeRAT Android component – which Haq wrote was uncovered during the investigation of the Windows modules for WinSpy – has three different applications as part of a surveillance package, according to the post.

“One of the applications requires commandeering via a windows controller and requires physical access to the device, while the other two applications can be deployed in a client-server model and allows remote access through a second Android device,” Haq wrote, explaining the remote components work via SMS messages.

The GimmeRAT has components that can take screenshots, as well as collect GPS information, and upload that data to attackers, Villeneuve said, explaining that WinSpy is being offered for sale on the author's website for $29.95.