AlienSpy RAT exploited to deliver the popular Citadel Trojan

Security experts at Fidelis firm discovered that variants of the AlienSpy remote access trojan (RAT) are currently being used in global phishing campaigns.

Cyber criminals have exploited the AlienSpy RAT to deliver the popular Citadel banking Trojan and maintain the persistence inside the targeted architecture with a backdoor mechanism. Criminal crews used AlienSpy RAT to compromise systems in a number of industries, including energy utilities, financial services, government agencies, and technology companies.

The Citadel trojan was used by threat actors in the wild to target critical infrastructure.

According to the experts from security firm Fidelis, AlienSpy represents the evolution of other remote access tools like Adwind, Unrecom and Frutas Java-based RATs.

The attackers spread the AlienSpy RAT with a classic phishing campaign, the malware has the ability to compromise multiple platforms, including Windows, Linux, Mac OS X and Android.

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.” states the report published by Fidelis.

AlienSpy implements the typical features of other RATs plus further features, including the ability to capture webcam sessions, to steal browser credentials, to use the victim’s microphone to record environment conversations, to access files and to provide a remote desktop control.

AlienSpy uses plugins to implement the above capabilities, the experts have discovered 12 different plugins.

The strain of malware is a well written strain of malware, its authors implemented a series of protection features, like the ability to avoid the execution in a virtual machine (usually used by malware researchers to study the malicious code) and to disable security solution installed on the victim’s machine (i.e. Antivirus software).

The traffic between the AlienSpy RAT and the C&C servers is protected by TLS encryption to

“Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise.”

“Network traffic encryption is performed to obfuscate the malicious network traffic with the command and control server (CnC),” reads the report. 

Fidelis experts suggest companies to carefully analyze archives with executable files (e.g. .exe, .jar, .scr, etc.) attached to incoming emails

“Enterprises are recommended to implement policies in which emails containing archives with executables files (e.g. .exe, .jar, .scr, etc.) are inspected by a security appliance before reaching the end user.” states Fidelis.

Pierluigi Paganini

(Security Affairs –  AlienSpy RAT, Citadel)