Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Cross-platform RAT ‘AlienSpy’ targets Mac OS X, Windows and Android users

Analysts warns that a multi-platform remote access trojan (RAT) has been taken up by attackers to target end users around the globe, as well as enterprises in the technology, financial services, government and energy sectors.

Dubbed “AlienSpy,” the RAT was discovered by General Dynamics' Fidelis Threat Research Team, which observed phishing emails targeting its customer base over the past few weeks with the malware. In an advisory published Wednesday (PDF), Fidelis noted that the tool appeared to be new-and-improved version of another RAT, named Frutas, which has also been called Adwind RAT and Unrecom RAT over the course of its evolution.

AlienSpy notably has cross-platform functionalities, as it can infect devices running Windows, Linux, Mac OS X and even the Android mobile operating system.

“AlienSpy is a Java-based RAT that provides a plug-in framework with a total of around 12 plug-ins for different operating system platforms,” the Fidelis threat advisory explained. “This modular plug-in framework makes it easy for the attackers to upgrade the RAT with plug-ins that provides additional features.”

Researchers said that the website for the tool, AlienSpy[dot]net, claims that the RAT is not classified as malware, thought it sports built-in features that disable many anti-virus tools. Attackers leveraging the RAT could also use it to download additional malware, Fidelis said.

Currently, AlienSpy is sold being sold on a subscription basis, from $19.90 to $219.90, depending on the length of time buyers wish to access the tool ($220 allows a year of access, for instance).

The RAT's other capabilities entail collecting system information (such as IP addresses, operating system versions, memory RAM information, Java version and computer name), using infected devices' webcams and microphones unbeknownst to victims, keylogging and browser password theft. AlienSpy can also access device files in the context of the current user and utilize the Remote Desktop feature to spy on victims' activities, the firm said. In addition to disabling AV and other security tools, the RAT also works to evade detection by using transport layer security (TLS) to secure its command-and-control communications. AlienSpy also detects sandboxing technologies, according to Fidelis.

The company provided tips for detecting the threat, recommending that businesses implement policies where emails containing archives with executable files are inspected via security tools before reaching end users.

In Wednesday email correspondence with, Mike Buratowski, vice president of cybersecurity services at the company, said that the RAT poses a “real challenge for end users” since “attackers know that there is little that an infected end user can do when core functionality like AV and UAC [user account control] are disabled.”

Buratowski added that, for enterprises, “there is a self-signed certificate that has been used on the TLS traffic” for AlienSpy. “Enterprises that monitor that traffic should investigate such activity,” he advised.

The Fidelis research team published a YARA rule at the end of the advisory for detecting variants of AlienSpy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.