Ratting on AlienSpy

Executive Summary

This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT [1], [2], [3], [4].

There is a long line of RATs that have received attention in the past few years and are known to be related in provenance and have been observed in related campaigns. These include njRAT, njWorm and Houdini RAT, all of which have been repeatedly deployed against victims in the consumer space as well as large enterprises. These RATs are recognized to have a robust feature set and much of the evolution that has been seen is in the nature of the delivery, rather than in core functionality.

AlienSpy is different in this regard. It is the latest in a well known lineage of RATs–Frutas, Adwind and Unrecom are all predecessors. We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.

Related on Threat Geek:

Download Full Threat Advisory

Ratting on AlienSpy