News of the murder of Argentinian prosecutor Alberto Nisman linked to an unique version of AlienSpy takes another turn. Last week we began tracking organizations in the U.S., UK and Germany that were infected by Java-based remote access tools (RATs). These organizations were in the critical infrastructure, financial services, technology and consulting verticals. We notice some important differences from an older version of AlienSpy, which we had seen months ago.
Early this year, we wrote extensively on AlienSpy in a Fidelis Threat Advisory #1015 and follow up blog post about the Alienspy.net domain being taken down and crippling the existing builders. Since then, AlienSpy has re-emerged with new encryption and operating under a new domain at jsocket[dot]org.
AlienSpy (and now JSocket) is a commercial subscription-based RAT written in Java that attackers use to compromise all flavors of PCs and Android phones. The builder “phones home” to verify a valid subscription exists based on the hardware ID of the machine the builder resides on before any functionality is available. Accordingly, the builder cannot run on virtualized hardware.
This malware has been implicated in several high-profile events such as the murder of Argentinian prosecutor Alberto Nisman. You can see some of our research has been referenced on motherboard.vice.com and firstlook.org reports.
As a brief timeline, the AlienSpy domain was suspended on April 10, 2015 by GoDaddy. On April 19, 2015, jsocket[dot]org was registered at eNom and the first started blogging there on June 23, 2015. As of July 11, 2015, the AlienSpy client “officially” closed with everyone required to point to jsocket that currently resides at 126.96.36.199 at LayerIP in the UK.
In the meantime, reseller rekings[dot]com was also selling versions of AlienSpy that did not talk to AlienSpy[dot]net to verify subscription information. Those versions talked to carity[dot]x10host[dot]com for subscription information, likely an interim solution by the operators of AlienSpy. This hostname currently resides at 188.8.131.52 in the X10Hosting network in the US.
Campaigns have recently been observed beginning August 13th, 2015 that utilize this new malware as part of phishing emails such as the one below:
We have placed you an order No.51203319 Dated 28/05/15 Delivery date is 30/08/15 please maintain your delivery adherence.
and find attach for some changes made in article 5 & 6 for your kind perusal
Trinity Engineering Services L.L.C.
P.O. Box: 8807, Dubai, U.A.E.
Tel: +971 4 3466644, Fax: +971 4 3466655
Mobile: +971 52 9940344
Two variants of this malware with hashes d44b930e4060e2f021de888e0fa2df8a and ae4b7f41c120cb8a14cff629b4b0308d use similar lures, fake invoices or court documents and beacon to C2 at giftedman[dot]serveblog[dot]net with IP 184.108.40.206 which appears to be a residential ADSL line in Ghana near Accra.
Interestingly, this malware will also attempt to install a Java client on machines if it is not already present.
In all cases, you can detect this type of threat by seeing .jar file attachments to email, .zip and other archive files with a .jar file and .jar files with mismatched file extensions to popular document types.
We anticipate that JSocket will continue to grow in use due to its platform independence and versatility. Its use against high-profile targets has shown that it is entering the toolboxes of sophisticated attackers.
The JSocket family of malware is currently monitored with our active intelligence and surveillance program. As we continue our research, we will report on its use against enterprises and investigate the actors behind this malware. We expect to publish an additional Fidelis Threat Advisory in the near future.
Summary of Indicators:
Giftedman.serveblog.net / 220.127.116.11 on port 1818
TT Reference Number-#150807000000.pdf.jar
Subscription server (only builders talk to this IP):
JSocket.org / 37.61.257.251
Prior Subscription server:
Carity.x10host.com / 18.104.22.168
Other malware settings:
-John Bambenek and Hardik Modi