New Evasion Techniques Help AlienSpy RAT Spread Citadel Malware

Researchers at Fidelis report a new strain of AlienSpy, a remote access tool that’s being used to deliver the Citadel Trojan to critical industries.

Hackers have co-opted AlienSpy, a remote access tool, to deliver the Citadel banking Trojan and establish backdoors inside a number of critical infrastructure operations.

AlienSpy is a descendent of the Adwind, Unrecom and Frutas Java-based remote access Trojans, according to security company Fidelis, which is owned by General Dynamics. Fidelis said today in its report that AlienSpy RAT infections have been reportedly been spreading via phishing messages, and have been discovered inside technology companies, financial services, government agencies, and energy utilities.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs,” Fidelis said in its report.

It has multiplatform support for Windows, Linux, Mac OS X and Android machines and devices, Fidelis said. In addition to typical RAT behavior such as collecting system information, establishing a backdoor for the upload of malicious executables (including a keylogger) and the extraction of stolen data, AlienSpy can also capture webcam sessions, listen in on the machine’s microphone, provide remote desktop control, steal browser credentials, and access files. In all, there are 12 AlienSpy plugins delivering these spying capabilities.

This version also comes with the capability to detect whether it’s being executed inside a virtual machine, such as VMware or Oracle’s Virtual Box. Other self-preservation techniques include the ability to disable antivirus and other security tools, and use TLS encryption to protect communication with a centralized command-and-control server.

“Network traffic encryption is performed to obfuscate the malicious network traffic with the command and control server (CnC),” Fidelis said. “Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise.”

Fidelis was able to crack open a configuration file and see a long list of commercial and open source security tools it can sidestep, including network packet analyzer Wireshark.

One sample caught by Fidelis was dropping the Citadel banking malware, which has been repurposed in the past for use against critical industries. Most of the phishing lures used to entice victims to open and execute the malware have business themes to them referencing previous orders, remittance notifications, or supposed payment information. The malware was also obfuscated with the Allatori Java obfuscator which appears to be integrated in the AlienSpy builder, Fidelis said.

This sample also revealed DNS information for the command and control server (owoego[.]chickenkiller[.]com), that it used port 9999 used for backdoor communication, VMware and Virtual Box detection and information about the Java archive including its folder, name, extension, and registry key.

Fidelis recommends enterprises inspect attachments containing .jar attachments before allowing users to handle them.

“You may not want personnel in the Finance, HR, or Executive office receiving emails with executable file attachments, or archives containing executable files, that could potentially place them at risk,” Fidelis said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.