Remote Access Trojans (RATs) are often recycled and redeveloped in the changing cybersecurity landscape. These kinds of Trojans are exploited through phishing campaigns which use flawed emails and malicious files to deliver malware payload to affect particular industries, consumers or businesses.
According to security firm Fidelis, the newly-discovered AlienSpy Trojan is currently being used in international phishing campaigns against both consumers and the enterprise, although generally has been detected in campaigns based in the technology, finance, government and energy sectors.
AlienSpy currently supports infections on Windows, Linux, Mac OSX and the Android mobile operating system.
The Java-based Trojan provides an attacker a full access and control over a compromised system. The malware is able to collect system information including OS version, RAM data and computer name. It also uploads malware packages, capture webcam and microphone streams without consent.
The campaigns include njRAT, njWorm and Houdini RAT all of which are recognized to evolve in the nature of delivery rather than in core functionality. The security firm believes the new RAT has benefited from “unified,” collaborative development. As a result, the Trojan is more sophisticated and has expanded functionality.
“Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise. To prevent various security tools from running, this version of AlienSpy performs various registry key changes,” the security firm said. “Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections.”
AlienSpy’s additional capabilities include sandbox detection tool, the detection and disabling of antivirus software, and the use of Transport Layer Security (TLS) cryptographic protocols to secure its connection to the command and control (C&C) server.