AlienSpy RAT Resurfaces as JSocket

The dismantled AlientSpy remote access Trojan, the same malware found on the phone of dead Argentine prosecutor Alberto Nisman, has resurfaced with new crypto and a new name.

Even before a stunning revelation at Black Hat 20 days ago that spyware had been found on the phone of a dead Argentine prosecutor, the handlers of the AlienSpy remote access Trojan closed up shop, revamped and renamed the spyware, and moved operations to new domains, researchers at Fidelis said.

In January, Alberto Nisman, an outspoken prosecutor who was scheduled to testify before Argentina’s legislature alleging a cover-up by President Cristina Fernandez de Kirchner of Iran’s involvement of 1994 bombings in Buenos Aires, was found dead. His death was ruled a suicide, but evidence, according to published reports, does not support that conclusion.

At Black Hat in a presentation with Marion Marschalek of security company Cyphort and last week in article published on The Intercept website, First Look Media director of security Morgan Marquis-Boire said that Nisman’s Android phone was infected with AlienSpy for as long as six weeks. The file found on Nisman’s phone “estrictamente secreto y confidencial.pdf.jar,” Marquis-Boire said was bundled with AlienSpy, a commercially available remote access Trojan written in Java that had been used by other threat actors against targets in critical infrastructure. The RAT not only collects system information and establishes a backdoor for the upload of malicious executables (including a keylogger) and the extraction of stolen data, AlienSpy can also capture webcam sessions, listen in on the machine’s microphone, provide remote desktop control, steal browser credentials, and access files.

Researchers at Fidelis in April reported on an outbreak of AlienSpy infections moving via phishing messages. Shortly after the publication of that report, domain registrar GoDaddy suspended the AlienSpy domain and within two weeks, the current jsocket[.]org domain was registered at provider eNom, Fidelis said in a report published today. By July 11, they said, AlienSpy was no more and users were told to point to jsocket[.]org at a UK-based host called LayerIP.

Since then, new phishing campaigns have been moving the RAT to new targets in industries such as utilities, government agencies, telecommunications and others. JSocket, like its predecessor, is commercially available and likely susceptible to the same type of takedown, researchers said.

“It’s publicly available; a Bitcoin transaction gets you the package. They do operate in the open,” said Fidelis vice president of threat researcher Hardik Modi. “They are hiding their tracks. We have not uncovered who the party is that’s creating and distributing the malware, but it’s commercially available under a subscription-based licensing scheme and the builder connects to their system. That was the root cause of the network going down in April; their registrar shut them down after public reports in April. They yanked the domain and nullified every version of the package that had been acquired to that point.”

The version on Nisman’s phone was malware meant to infect a Windows machine; AlienSpy does support multiple platforms including Android, Linux and Mac OS X, but is primarily a threat to Windows machines. Marquis-Boire said it’s unknown yet whether Nisman opened the phishing email on his laptop.

Fidelis’ Modi said JSocket is still Java-based and has been updated with a new encryption scheme and key that makes unpacking and analysis challenging. It also tries to install a Java client on the victim’s machine if one is not present.

“The functionality available with the RAT is comparable to other RATs, however, a lot of organizations naturally block executable content, Windows PE files, from entering the environment,” Modi said. “But there just isn’t same attention paid to Java files. Jar files entering the environment are not subject to same level of scrutiny.”

Suggested articles