New Evasion Techniques Help AlienSpy RAT Spread Citadel Malware

Researchers at Fidelis report a new strain of AlienSpy, a remote access tool that’s being used to deliver the Citadel Trojan to critical industries.

Hackers have co-opted AlienSpy, a remote access tool, to deliver the Citadel banking Trojan and establish backdoors inside a number of critical infrastructure operations.

AlienSpy is a descendent of the Adwind, Unrecom and Frutas Java-based remote access Trojans, according to security company Fidelis, which is owned by General Dynamics. Fidelis said today in its report that AlienSpy RAT infections have been reportedly been spreading via phishing messages, and have been discovered inside technology companies, financial services, government agencies, and energy utilities.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs,” Fidelis said in its report.

It has multiplatform support for Windows, Linux, Mac OS X and Android machines and devices, Fidelis said. In addition to typical RAT behavior such as collecting system information, establishing a backdoor for the upload of malicious executables (including a keylogger) and the extraction of stolen data, AlienSpy can also capture webcam sessions, listen in on the machine’s microphone, provide remote desktop control, steal browser credentials, and access files. In all, there are 12 AlienSpy plugins delivering these spying capabilities.

This version also comes with the capability to detect whether it’s being executed inside a virtual machine, such as VMware or Oracle’s Virtual Box. Other self-preservation techniques include the ability to disable antivirus and other security tools, and use TLS encryption to protect communication with a centralized command-and-control server.

“Network traffic encryption is performed to obfuscate the malicious network traffic with the command and control server (CnC),” Fidelis said. “Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise.”

Fidelis was able to crack open a configuration file and see a long list of commercial and open source security tools it can sidestep, including network packet analyzer Wireshark.

One sample caught by Fidelis was dropping the Citadel banking malware, which has been repurposed in the past for use against critical industries. Most of the phishing lures used to entice victims to open and execute the malware have business themes to them referencing previous orders, remittance notifications, or supposed payment information. The malware was also obfuscated with the Allatori Java obfuscator which appears to be integrated in the AlienSpy builder, Fidelis said.

This sample also revealed DNS information for the command and control server (owoego[.]chickenkiller[.]com), that it used port 9999 used for backdoor communication, VMware and Virtual Box detection and information about the Java archive including its folder, name, extension, and registry key.

Fidelis recommends enterprises inspect attachments containing .jar attachments before allowing users to handle them.

“You may not want personnel in the Finance, HR, or Executive office receiving emails with executable file attachments, or archives containing executable files, that could potentially place them at risk,” Fidelis said.

Suggested articles

Discussion

  • RV on

    I just reposted this on another forum and a guy there claims it was all FUD, Linux is not used that way, then backed up and said it was a not as efficient on Linux. I asked him to post here and school deveryone but alas he has not shown. Thanks Michael for another good article.
  • Craig Jungers on

    I tracked down the Fidelis report on this exploit and it appears to be solely aimed at Windows machines. While the original exploit might be executed on a Linux/Unix/OSX machine WITH JAVA RUNTIME INSTALLED, the malware dropped would not work. At least, the malware dropper illustrated in the .pdf wouldn't work. As far as a virtual machine is concerned it appears that if the original malware (a .jar) finds evidence of a virtual machine on a Linux box, it stops. Also, the illustrations of the phishing software are all types of software that will only execute on a device with a Java runtime or one that will execute file types with .jar and .tar, etc suffixes (e.g.: Windows). It's an interesting bit of code but it's not particularly dangerous to most IOS or Android users or, for that matter to Linux, Unix or OSX users.
  • Craig Jungers on

    Is there any evidence that this is actually a threat to the Linux/Uniox/OSX systems? Do the Java files actually execute when the victim clicks on them as they would in a Windows OS? And if they do, can they create the subdirectors and then request and download the payload? Because everything in the Fidelis report is directed towards Windows with registry changes and .exe files. None of this would work in an *nix environment.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.