Alien Spy Rat Drops Banking Malware in Linux, Firefox, VM, Android, OSX, Windows

[RV_]

It used to be that folks with Linux and OSX, or folks running Windows and Firefox instead of Internet Explorer felt relatively safe from attack. This malware even recognizes when it is executed inside of virtual machines. Scary stuff for all.

 

Excerpt:

 

“We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs,” Fidelis said in its report.

 

It has multiplatform support for Windows, Linux, Mac OS X and Android machines and devices, Fidelis said. In addition to typical RAT behavior such as collecting system information, establishing a backdoor for the upload of malicious executables (including a keylogger) and the extraction of stolen data, AlienSpy can also capture webcam sessions, listen in on the machine’s microphone, provide remote desktop control, steal browser credentials, and access files. In all, there are 12 AlienSpy plugins delivering these spying capabilities.

 

This version also comes with the capability to detect whether it’s being executed inside a virtual machine, such as VMware or Oracle’s Virtual Box. Other self-preservation techniques include the ability to disable antivirus and other security tools, and use TLS encryption to protect communication with a centralized command-and-control server.

 

“Network traffic encryption is performed to obfuscate the malicious network traffic with the command and control server (CnC),” Fidelis said. “Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise.” Fidelis was able to crack open a configuration file and see a long list of commercial and open source security tools it can sidestep, including network packet analyzer Wireshark. One sample caught by Fidelis was dropping the Citadel banking malware, which has been repurposed in the past for use against critical industries. Most of the phishing lures used to entice victims to open and execute the malware have business themes to them referencing previous orders, remittance notifications, or supposed payment information. The malware was also obfuscated with the Allatori Java obfuscator which appears to be integrated in the AlienSpy builder, Fidelis said."

 

See more at: https://threatpost.com/new-evasion-techniques-help-alienspy-rat-spread-citadel-malware/112064#sthash.CjYCjNW8.dpuf

[wa_desert_rat]

It used to be that folks with Linux and OSX, or folks running Windows and Firefox instead of Internet Explorer felt relatively safe from attack. This malware even recognizes when it is executed inside of virtual machines. Scary stuff for all.

Another attempt to make it appear that Linux is just as vulnerable as Windows to attacks. It's not!

 

The big difference is that every Windows user has to work as his (or her) machine Administrator so that a phishing attack (which is what the RAT hack is) can gain access to kernel space (because the graphical user interface is on ring zero - otherwise known as kernel space).

 

No one in the Linux world operates as Administrator except when doing Admin things (using sudo, mostly); most Linux distros don't even give you an admin account; everything is done using sudo. So all a Java exploit can do, at most, is gain access to user space. And even that is difficult because on Linux you have to enter a password to do an install; on Windows you just click "yes".

 

This particular exploit has been around for years. This is pure FUD.

 

WDR

[RV_]

Hi you mean that Kaspersky Threatpost is passing along FUD? Are you saying that all Linux users are immune and that none have been cracked by this exploit regardless of methodology? There is a comment thread at the bottom of that article. I look forward to your opposing post there.

 

If you missed it above, the article with its comments section with no comments yet is here: https://threatpost.com/new-evasion-techniques-help-alienspy-rat-spread-citadel-malware/112064

 

Please let me know when you have set them straight and your comments there posted.

[wa_desert_rat]

Hi you mean that Kaspersky Threatpost is passing along FUD? Are you saying that all Linux users are immune and that none have been cracked by this exploit regardless of methodology? There is a comment thread at the bottom of that article. I look forward to your opposing post there.

 

If you missed it above, the article with its comments section with no comments yet is here: https://threatpost.com/new-evasion-techniques-help-alienspy-rat-spread-citadel-malware/112064

 

Please let me know when you have set them straight and your comments there posted.

It's a phishing attack... and that sort of attack require the computer operator to give away something. The resulting exploit is much less efficient in Linux/Unix than it is in Windows. And it's almost impossible in Android/iPhone because neither of them let you easily install Java.

 

WDR

[Ron]

Another attempt to make it appear that Linux is just as vulnerable as Windows to attacks. It's not!

 

The big difference is that every Windows user has to work as his (or her) machine Administrator so that a phishing attack (which is what the RAT hack is) can gain access to kernel space (because the graphical user interface is on ring zero - otherwise known as kernel space).

 

No one in the Linux world operates as Administrator except when doing Admin things (using sudo, mostly); most Linux distros don't even give you an admin account; everything is done using sudo. So all a Java exploit can do, at most, is gain access to user space. And even that is difficult because on Linux you have to enter a password to do an install; on Windows you just click "yes".

 

This particular exploit has been around for years. This is pure FUD.

 

WDR

WDR,

What is your assessment of the threat of this RAT on an OSX/Safari computer? Does running a Java Script Blocker extension on Safari void this threat?

Thanks,

ron

[wa_desert_rat]

WDR,

What is your assessment of the threat of this RAT on an OSX/Safari computer? Does running a Java Script Blocker extension on Safari void this threat?

Thanks,

ron

Ron,

 

This particular bit of malware drops a Java aplet onto your computer. But, unless the information I have is badly out of date, it's a phishing exploit which means that it has to fool you into executing it. I don't know how the Javascript blocker on Safari works but all you have to do is be very alert to exactly what sorts of links you are clicking on. Windows users automatically execute a lot of malware in Outlook and Internet Explorer and can be set up to offer you a link that looks like it's valid when you mouse over it. Linux and Unix don't do that... you get to see what it is you are clicking on. If Apple has developed their system with the same sorts of features you're probably safe.

 

Just watch what you click on.

 

This link, below, says that the RAT doesn't drop a payload into OSx or Unix. Maybe the code has been altered. But this code you can actually look at.

 

http://contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html

 

WDR

[RV_]

You've posted in the comments on Kaspersky threat post? Let me refresh that page. Nope not there yet.

 

See your immediate FUD claim, like others, seems to indicate you believe you are the focus of my posts. Sorry you are not on my radar that way. If you want to troll my posts by all means do. But you won't post that it is FUD on the source's comments section will you?

 

Notice no defense by me in response to your post? I think you need to try to tell that to Michael Mimoso who wrote it along with these articles in this list: https://threatpost.com/author/michael

 

As far as it being a Phishing attack, I have to say "DUH?" because that is in the second paragraph of the article which I did not use as part of my fair use excerpt. So I did not need that explained, but had you read it first you would have seen the second paragraph right?

 

Second Para for the benefit of those who never go to, let alone read, links:

 

"AlienSpy is a descendent of the Adwind, Unrecom and Frutas Java-based remote access Trojans, according to security company Fidelis, which is owned by General Dynamics. Fidelis said today in its report that AlienSpy RAT infections have been reportedly been spreading via phishing messages, and have been discovered inside technology companies, financial services, government agencies, and energy utilities. - See more at: https://threatpost.com/new-evasion-techniques-help-alienspy-rat-spread-citadel-malware/112064#sthash.aC24xaLC.dpuf"

I'm sure those Technology companies, financial services, government agencies, and energy utilities are all relieved to hear that they are imagining it because WDR on an obscure forum said it was FUD?

 

Again please call FUD to the source. I'll be looking for your comments there. If not then I'll take that for exactly what it is worth. The soiurce of the FUS is Fidelis. Who are these FUD mongers one might ask? Well they are:

 

"Fidelis Cybersecurity is a computer security company focused on prevention of advanced threats and data breaches. International Business Machines, the United States Army and the United States Department of Commerce are among its customers.[1]

 

Fidelis offers network security appliances, which include the company's patented[2] Deep Session Inspection architecture. The company claims speed and accuracy in network traffic inspection among its technical differentiators.[3]

 

In August 2012, General Dynamics announced an agreement to acquire Fidelis into its Advanced Information Systems division.[4] In April 2015 Marlin Equity Partners announced an agreement to acquire the company.[5]"

 

http://en.wikipedia.org/wiki/Fidelis_Cybersecurity

 

Fidelis’ flagship product, Fidelis XPS™, is an advanced threat defense platform which is recognized by many of the largest organizations around the globe as highly effective in detecting and preventing not only initial malware infections, but also the subsequent spread of malware within the organization and the theft of information it perpetrates. Fidelis complements this solution with an elite incident response team which is on the frontline helping customers investigate breaches and stop zero days, and a threat research team, conducting original research and incorporating real-time insights into Fidelis XPS. Fidelis has customers across industries, including financial services, healthcare, retail, technology, government and critical infrastructure. In addition, Fidelis has worldwide reseller and trusted advisor partners that extend its market reach, but bring to bear their significant expertise to help customers succeed in their battle against cyber attackers.

 

Yeah, I reprint FUD mongers all the time here WDR.

 

Have nice day!

 

Edit,

WDR, I know your post on Threatpost is awaiting moderation like mine about this is. I'm easy to spot as I am RV there too.

 

Ron you can ask about OSX there too. Their info isn't old, and Threatpost is one of the most respected Security publications available. Just post and do the neat Captcha and check the box to be alerted to new posts and responses so you don't have to keep it open to see when you get a replay after moderation of your post.

 

Safe Computing!

[wa_desert_rat]

You've got to be kidding. You're practically the king of FUD around here. Let me quote your first paragraph:

 

"It used to be that folks with Linux and OSX, or folks running Windows and Firefox instead of Internet Explorer felt relatively safe from attack. This malware even recognizes when it is executed inside of virtual machines. Scary stuff for all."

 

It looks to me like you are, again, trying to equate the insecurities of Windows NT kernel with Linux to make them both look like they are equally vulnerable. When they are not equally vulnerable. That is the definition of FUD.

 

WDR

[wa_desert_rat]

I should add that RAT is part of a TARGETED attack in which the black hats scope out a victim and then tailor-make an email or a URL for that victim which, when executed, then looks for the target; usually a bank or financial institution.

 

It's unlikely that any of us has access to the sorts of funds that would make us attractive to a bad guy but I still vote with Stanley on using a CD or DVD drive (or other unwritable media) when doing banking or other critical privacy business on line. You'll have to memorize your credentials every time but unless the .iso you're using (the DOD .iso of Linux is preferred) is cracked you are a lot safer. This is because even if you get an effective exploit that cracks your machine, when you turn it off everything in RAM is gone. You start with a fresh installation every time you boot up with that .iso.

 

Edit: Oops, forgot the link: http://www.spi.dod.mil/lipose.htm. Get the "delux" version. Notice that it includes Java which would, technically, make it vulnerable to the RAT exploit (if the RAT exploit actually dropped a malware package into Linux) but since you're not out browsing with this light version of Linux (other than to do your specific banking chores) you're safe. If you think you're not, just reboot. It's a brand new install every time unless you use a thumb drive that is writable (DON"T).

 

I know it's a lot of trouble, but it is the best security you'll get on the 'net.

 

WDR

[bigjim]

Anyone giving odds yet.

[RV_]

You've got to be kidding. You're practically the king of FUD around here. Let me quote your first paragraph:

 

"It used to be that folks with Linux and OSX, or folks running Windows and Firefox instead of Internet Explorer felt relatively safe from attack. This malware even recognizes when it is executed inside of virtual machines. Scary stuff for all."

 

It looks to me like you are, again, trying to equate the insecurities of Windows NT kernel with Linux to make them both look like they are equally vulnerable. When they are not equally vulnerable. That is the definition of FUD.

 

WDR

 

I didn't think you would post there. Thanks for your negative assessment. I don't write for you. Lots of folks appreciatemy posts here, you are entitled to your rants. But attacking other members the way you are trying to do is called claptrap by dictionary definition. You are just plain rude in addition to being wrong. Pursue it further in the source's thread if you will. I do claim that users are fooled with social engineering most of the time today.

 

Phishing has nothing to do with the kernel. Phishing has nothing to do with the OS. This threat is infected after successfully Phishing, getting the credentials, to take control and infect with it.

 

"Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.[1][2] The word is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware.[3] Phishing is typically carried out by email spoofing[4] or instant messaging,[5] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,[6] and exploits the poor usability of current web security technologies.[7] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Many websites have now created secondary tools for applications, like maps for games, but they should be clearly marked as to who wrote them, and users should not use the same passwords anywhere on the internet.

 

Phishing is a continual threat that keeps growing to this day. The risk grows even larger in social media such as Facebook, Twitter, Myspace etc. Hackers commonly use these sites to attack persons using these media sites in their workplace, homes, or public in order to take personal and security information that can affect the user and the company (if in a workplace environment). Phishing is used to portray trust in the user since the user may not be able to tell that the site being visited or program being used is not real, and when this occurs is when the hacker has the chance to access the personal information such as passwords, usernames, security codes, and credit card numbers among other things."

http://en.wikipedia.org/wiki/Phishing

 

You just got through telling how you only have old info and the article clearly states that the new methodology is different than previous RATs. Give it a rest WDR. If you think my posts are all FUD don't read them. If you think you are going to disprove anything not to your liking it is amazing how you go from expert today on this new methodology, tp backing up when asked how it affects OSX as only having old info and you don't know.

 

Now I am going to put this as clearly as I can.

This is new.

 

If you only have old info then perhaps you can come back once you have digested the new stuff I brought up.

 

You sure do resort to name calling fast.

 

And I will continue to post about new threats in Linux, as well as Windows and OSX that I think some might find useful. You can come in for your local defense of all things Linux, call names and raise a fuss. I was writing my response and since you clarified phishing, darn!

 

Betcha didn't look up claptrap.

[wa_desert_rat]

RV... did you read this link (dated November 17, 2014)? Did you see this part: "The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux." Did you look at the code?

 

http://www.quora.com/Can-I-get-hacked-by-clicking-on-a-malicious-link-What-can-I-do-to-protect-myself-if-I-clicked-on-a-malicious-link

 

Maybe you should post a link to FUD from Wikiepedia.

 

The simple facts are that a Phishing attack is far more successful on Windows machines (and especially with Outlook and Internet Explorer) than it is on Linux or Unix. And a Java attack on a machine that cannot execute Java is completely useless.

 

1. Because both Outlook and iexplore allow the attacker to make their links look innocent when you mouse over them. This link explains it in more detail: http://www.quora.com/Can-I-get-hacked-by-clicking-on-a-malicious-link-What-can-I-do-to-protect-myself-if-I-clicked-on-a-malicious-link. Because Windows allows certain suffixes (.php and .pdf among otheres) to be executed when you click on them and because it is possible, only with Windows, to make those malicious links look innocent, a user on Windows is far more likely to be infected via phishing than a user on Linux. You should know this already.

 

2. Because with Linux you must either be system admin (root) or using sudo to install malicious programs it is harder to fool a Linux user with a phishing attack. PLUS it is not possible to obfuscate a malicious link in Linux like it is in Windows. You should know that, too.

 

So when you equate an attack that is widely successful on Windows with an attack on Linux and then haven't done enough research to realize that other malware with the RAT characteristics could not drop malicious software into Linux or OSX, it looks like FUD to me.

 

The Fidelis information included zero code and no data output so it is impossible for me to determine if it's new. And if it's impossible for me to determine that, then I can safely assume that it's also impossible for you. So your assertion that it's new is based on data that you cannot authenticate.

 

WDR

[wa_desert_rat]

And I don't think your POSTS are all FUD. But I do think that your lead-ins are often misleading at best.

 

WDR

[wa_desert_rat]

I found some more details. Pretty spiffy system. Go through it and see if you can find out how it would work on a system without Java. Or on anything other than Windows.

 

http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf

 

I did discover that it doesn't work on a virtual machine. It actually detects whether there is a virtual machine and then stops.

 

No indication whether it's newer than the exploit of the same name I linked to, above.

 

WDR

[wa_desert_rat]

This exploit requires Java and/or the ability to execute .zip and .tar file types. So unless you have modified your Android devices to allow execution of those file types or .jar files (Java) you're not going to be infected with this.

 

Here is further indication that, even though the malware mentions Linux, it executes only on Windows. This is the malware dropper's characteristics:

 

File Name: gobe.exe

File Size: 339968 bytes

MD5: 87dfaecaffb20d8b6db35932a84b509c

SHA1: d66e5f2a64cff046b7f3131b07b385864f76eb99

PE Time: 0x550FCFF3 [Mon Mar 23 08:33:55 2015 UTC]

PEID Sig: Microsoft Visual C# / Basic .NET

PEID Sig: Microsoft Visual Studio .NET

PEID Sig: .NET executable compressor

 

All of this is solely executable on MS systems.

 

On Linux/Unix (including OSX) systems which have Java runtimes installed it's possible that the exploit could be executed but the malware drop would not work.

 

This is the same exploit mentioned in the November 17, 2014 link, above.

 

WDR

[Ron]

RV, thanks for the alert. WDR thanks for your elucidation and interpretation. I know just enough about this stuff to be dangerous. I am very aware of phishing, and so far have never been a victim. I also know that UNIX and most of its variants have proven themselves, over the years, to be far less vulnerable to malware of all types than Windows. I've been using Apple OS's exclusively for my home computers since 1984 and have never run anti-virus software and have never had any malware problem that I'm aware of (knock on wood) - that ought to jinx me - I'll probably have a problem tomorrow! I understand that this is partly due to their relative unpopularity vs. Windows but with the advent of OSX I think it's also due to its inherently superior design.

 

After reading the links in this thread it does sound to me like the primary targets of this RAT are not home computers but rather computers at major corporations or governments. Am I being naive?

 

---ron

[wa_desert_rat]

 

After reading the links in this thread it does sound to me like the primary targets of this RAT are not home computers but rather computers at major corporations or governments. Am I being naive?

 

 

No, you're not being naive. The RAT has, at least so far, been targeted and guys like you and me are not likely targets. And unless Fidelis knows a lot more than their report (the .pdf) has indicated, this particular version of the RAT won't work on your OS anyway.

 

WDR

[RV_]

Ron,

Regardless of statements to the contrary, one of the world's respected security firms published this report, which I will excerpt, but you can safely download the pdf yourself to read from a source with a lot more actual expertise than any of us here have in current threat reporting. While FUD may be a rallying cry when faced with any security breaches by some people with Linux or Mac systems, most, like you, are a bit more cautious. Saying that I have only had a minor infection get through my defenses but I saw it happening and pulled the plug on my connection and stopped it, does not mean my defenses were weaker than another's. It simply meant that a bot somewhere tried to drop a load in my system and because of keeping my security and performance patches up to date, as well as having good online and email habits, it could not do more than get on my system, and it was removed easily with dual scans. Let's also remember the story of the man who paid $100 a month for elephant repellant. When asked why he would do such a crazy thing in the middle of Texas he responded, Crazy? DO you see any elephants?

 

My not getting actually infected despite several attempts in the last decade like the Washington Post getting hacked and a Trojan trying for several hours to infect their visitors to the website, which was the one I saw, does not prove Windows is more secure than Apple or Linux, nor vice versa. I have seen the folks getting hung up in definitions claiming no viruses can infect X OS because self replicating virii don't work. That leaves 99% of infections today still not discussed as most infections today are from hacks of websites, many Linux, and phishing attacks. So who has been seen to be targeted in these recent attacks?

 

Excerpts, the red highlighting is mine:

 

"Fidelis Threat Advisory #1015
Ratting on AlienSpy Apr 08, 2015
Document Status: 1.0 Last Revised: 2015-04-08

Executive Summary This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT [1], [2], [3], [4].

There is a long line of RATs that have received attention in the past few years and are known to be related in provenance and have been observed in related campaigns. These include njRAT, njWorm and Houdini RAT, all of which have been repeatedly deployed against victims in the consumer space as well as large enterprises. These RATs are recognized to have a robust feature set and much of the evolution that has been seen is in the nature of the delivery, rather than in core functionality.

AlienSpy is different in this regard. It is the latest in a well known lineage of RATs – Frutas, Adwind and Unrecom are all predecessors. We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.

Key Findings: 

 

AlienSpy is a full-featured RAT currently used in multiple campaigns globally, targeting consumers and enterprises and currently detected by a limited set of antivirus products. 

 

Current versions of AlienSpy provide features like multiplatform support, including Android, VM evasion and TLS-encrypted communications that extend beyond other commodity RATs. 

 

AlienSpy is the latest in a family of RATs such as Adwind, Frutas and Unrecom, all of which have been observed in campaigns targeting large enterprises. These tools have rapidly evolved through continuous updates and are made available through various subscription models, which is innovative for this class of malware.

 

Recommended Actions:  Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT. To this end, we are publishing a Yara rule as well as a set of Indicators of Compromise (IOCs).

 

OK that is the summary of the threat assessment report. On to the body of the report.

 

AlienSpy – the details
Similar to other RATs, AlienSpy RAT provides the attacker with full control over the compromised system. AlienSpy supports infections on Windows, Linux, Mac, and Android devices.

The AlienSpy tool has some of the following capabilities in common with other RATs like njRAT and Houdini RAT:

- Collection of System Information (e.g. IP, OS version, memory RAM information, Java version, Computer Name, etc.)

 

-Upload & Execute additional malware

 

- Capture Webcam and Microphone, without user notification

 

- Remote Desktop to watch user activity

 

- File Manager allowing access to files in the context of the current user

 

- Browser Password theft

 

- Keylogging to capture passwords otherwise obscured from viewing

Additionally, the current version of AlienSpy possess the following capabilities that exceed other widely used RATs:

- Sandbox detection - Detection, disabling and killing of various antivirus and security tools - TLS protected command-and-control

The following is a screenshot of one of the AlienSpy RAT builders:

 

More

 

In this paper we will not go into details about Allatori deobfuscation since it has been well covered in the security community and some decoder/decrypters has been released. For more information, please look at the references section of this paper. One of the main purposes of using file obfuscators is to bypass network perimeter defenses and to make it more difficult for malware reverse engineers to analyze the malicious code.

 

That pdf report by Fidelis was linked to in the article I posted above, and can be found here, scroll down to " FTA 1015 - Ratting on AlienSpy " : http://www.fidelissecurity.com/resources/threat-advisory

 

Now as to the claims that it is not attacking or able to attack Linux or OSX systems let's go to one of the above mentioned references from the report.

 

Excerpt - Note, each of the steps below are accompanied in the original document online by screen shots of each of these steps as coded, for folks who claim it is incapable of infecting Linux or OSX due to different targeting or efficiencies, so they can see how it does it in Linux and OSX. Also fully expect a fallback from can't infect Linux or OSX for reasons like targets are only big corps or that it is less efficient on their systems still are fallbacks from bold exclamations of FUD:

 

"Windows

On Windows systems the malware is copied to new directory with %appdata% and a new value under the Run key is created to launch the malware. The value name is the string defined within the JAR_REGISTRY config setting and the value is the command line to launch the malware 'java -jar <path-to-jar>'. The jar path and file name is defined by the JAR_ properties described above.

 

Linux

On a Linux system the jar file is copied to the hidden directory <JAR_FOLDER> within the user's home directory and renamed to <JAR_NAME>.<JAR_EXTENSION>. The malware then creates a .desktop file within the users autostart directory ~/.config/autostart/<JAR_REGISTRY>.desktop to launch the RAT when the desktop is started.

 

MacOS

Like on Linux systems the malware creates a file under a new directory <JAR_FOLDER> in the user's home. It then creates a new job within the user's Library/LaunchAgents directory com.<JAR_REGISTRY>.plist

The generated configuration file has the optional key RunAtLoad set to true; this instructs launchd to run the job once when it is loaded.

 

Once the job file is created, it then runs the command "chflags hidden <JAR_FOLDER>" to set the hidden flag and hide the directory from the UI.

 

Sandbox Detection

When executed AlienSpy checks if it is running within either a VirtualBox or VMWare environment. If it detects that it is running within a VM the application exits. The detection technique isn't advanced and is done by detecting files installed as part of the VM host guest tools.

 

For VirtualBox this is either the file "/etc/init.d/vboxadd" in Linux or the directory "Oracle\Virtualbox Guest Additions" in Windows. If the RAT is running within a Mac environment it returns false.

 

Similarily for VMware this is the directory "/etc/vmware-tools" in Linux "/Library/Application Support/VMware Tools" in Mac and "VMware\VMware Tools" in Windows.

 

Download & Execute
The server can issue the command Id 8 which instructs the client to download and execute the downloaded file. The payload for this command includes the URL to download the file from and the extension to append to the file once it is downloaded.

Requests are made using the UserAgent:

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Once the file is downloaded the file is passed to an opener function where it determines how to launch the downloaded file. The opener first checks if the downloaded file ends in '.jar' if it does it will generate a string 'java -jar <downloaded jar>' and execute it.

If the malware is running on MacOS it will also append the argument -Dapple.awt.UIElement=true

 

If the file doesn't end in .jar the opener will use the preferred method to open files for the host OS. For Windows systems this is cmd, for Linux this is either /usr/bin/open or /usr/bin/xdg-open and for MacOs this is java.awt.Desktop.getDesktop().open

 

The entire article with all the screen shots of the infection as it infects Linux, OSX, as well as Windows machines go here: http://blog.idiom.ca/2015/03/alienspy-java-rat-overview.html

 

As seen above it can't actually the system from a VM, Sandbox, or Virtual box, but it does exit so it is not detected.

 

Most of you folks here just take the advisories I post and look into them. I provide the links because usually in the most technical papers and links as I am excerpting here, they will include, as the first paper did in pdf, screen shots with examples of the email subject lines used like "Payment" Fill out and return: Then if you open the fill out and return attachment you are toast.

 

If you are not concerned enough to go look that's OK I try to give enough to be wary, but provide the links for those wishing to look further.

 

This is an evolving and growing threat to Linux systems as well as OSX systems.

 

It is a given that any multiplatform will also infect Windows systems.

 

I hope that those wishing to dispute any issues I bring up do the actual homework. For most of us the posts from Threatpost, Fidelis Security, and places like Binary Forest as good enough to show the importance of knowledge over egos.

 

I will continue to post threat alerts when I see them, with links to good sources, not name calling.

 

Safe computing!

[RV_]

No, you're not being naive. The RAT has, at least so far, been targeted and guys like you and me are not likely targets. And unless Fidelis knows a lot more than their report (the .pdf) has indicated, this particular version of the RAT won't work on your OS anyway.

 

WDR

 

Ron,

See previous.

[wa_desert_rat]

RV, maybe you'd like to explain to Ron how it would execute all this without a Java runtime.

 

WDR

[wa_desert_rat]

Your earlier report indicated that this runs in Linux, Firefox, VM, Android, OSX, Windows. But so far no one has demonstrated how it executes under any OS other than Windows. The Java code can create all sorts of folders for the exploit but if the exploit cannot execute the payload (which then installs all the real malware) it's a fruitless endeavor.

 

But you are doing better. All we ask is that you pay attention to what exactly is going on and not simply interpret someone else's reports.

 

So... we know it has to have a Java runtime (all the .jar software in the .pdf I linked to, above) and so far the latest payload seen is all executable in Windows. See my explanation, above.

 

Without Java, this is a non-starter. And without a payload that can execute in Linux/Unix/OSX it's not able to do anything.

 

And it does not even bother to work in a VM.

 

The next question will be how it can do keylogging from a Linux user's subdirectory even if it downloads the right software.

 

If it does get a payload that actually works in just a user's account in Linux then I'll believe that it's a nasty cross-platform exploit. But so far no one has managed to demonstrate anything like that yet. And at least one has demonstrated that it won't.

 

"I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures. "

 

(the above is a response from the author of your link) and this report: http://contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html which says, " The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux."

 

Using xdg-open to get a URL is brilliant if it works.

 

WDR

[RV_]

Your earlier report indicated that this runs in Linux, Firefox, VM, Android, OSX, Windows. But so far no one has demonstrated how it executes under any OS other than Windows. The Java code can create all sorts of folders for the exploit but if the exploit cannot execute the payload (which then installs all the real malware) it's a fruitless endeavor.

 

But you are doing better. All we ask is that you pay attention to what exactly is going on and not simply interpret someone else's reports.

 

So... we know it has to have a Java runtime (all the .jar software in the .pdf I linked to, above) and so far the latest payload seen is all executable in Windows. See my explanation, above.

 

Without Java, this is a non-starter. And without a payload that can execute in Linux/Unix/OSX it's not able to do anything.

 

And it does not even bother to work in a VM.

 

The next question will be how it can do keylogging from a Linux user's subdirectory even if it downloads the right software.

 

If it does get a payload that actually works in just a user's account in Linux then I'll believe that it's a nasty cross-platform exploit. But so far no one has managed to demonstrate anything like that yet. And at least one has demonstrated that it won't.

 

"I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures. "

 

(the above is a response from the author of your link) and this report: http://contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html which says, " The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux."

 

Note from Derek - it even says 2014 in the link. That article is from almost 7 months ago. Long time in tech. If you go to 2013 you would see articles that do not know a cross platform RAT was in existence. Try reading your Linux peer posts from today and in the last few months when something new is found. You did count the months from November 2014 to April 2015 right?

 

Using xdg-open to get a URL is brilliant if it works.

 

WDR

 

None of this should be read as angry. But if it seems ridiculous, that is only because it is. Start with a rant and grade school name calling before reading an article I'm posting. Then try to find old articles to save face? One thing I do know is that when you find yourself in a hole, it is best to stop digging.

 

I don't need, nor want, your approbation. I would not say that "OK now you are doing better because you are now saying it might work on Linux." Who is we? You have a mouse in your pocket? Or are you using the royal we? It seems you are trying to tell me how to post again. I will tell you again to not read my posts if you don't like my take on the facts, Which, with an exception or two my Linux friends here might want a heads up. And your reading somebodies post, but not the links, first, including the bibliography, when it clearly states that the previous three month's work is well known, so if you want to review it click on the bibliography on the bottom, could not have been clearer to provide the trail of research on it from the link to the full research paper in the first article I quoted, to the bibliography at the bottom, and most especially the dates of publication. Those seem clear to me.

 

See my post was and is accurate. The only thing that has changed is after being rude, and acting like a know it all, you are now, as well as the rest of us, acknowledging the article and my interpretation of it is accurate.

 

Your comment and post/link above is from November of 2014. Mine citing what they have and are deciphering now are from March 2015 to April 2015, just a few days ago, thus the Current articles and warnings I linked to. Remember they are now getting the Java and other obfuscation deciphered finally. Your obfuscation with old articles isn't nearly as hard to decipher. 2014 is clearly in the link itself!

 

The only problem you have is any mention of Linux being vulnerable in any way. Which it is. Saying that without Java it is impossible is like me saying Windows cannot be infected by it if it is not running any email programs. If I want your editing on my posts I will ask for it, politely.

If you want to save face, try not losing it in the first place. That works much better. If you want to be rude to me in this public forum, that is your business. Answering uninformed public rudeness, minus the rudeness, in the same thread is mine. Helping you save face is not my job. Being liked by you is not on my required list. I'd prefer it, but you're making that as difficult as you can.

 

Remember, I did not need your help interpreting or comprehending the articles in question. If you want more about it then follow the development, and hopefully the defeat, of this line of cross platform exploit all started by an ignorant consumer or enterprise worker opening a phishing email. You obviously did not know about this new development in RATs. Now you do. But that was the point of my posting it in the first place right?

End of answer to WDR

 

For the rest of the folks reading what appears to be too techie, regardless of the OS, be aware that if you get emails, from strange or familiar sources, for startling things like you are in debt and you need to click on the link in the email or an attachment to it to see whatever scary or enticing thing it seems to be don't.

 

Forget all the techie stuff above. Just delete the email if you never gotten one like it before from whoever. If you are indeed worried about your bank or standing with the FBI/Internal revenue or whatever, call them after you delete the email without opening the attachment.

 

Something we need reminders of from time to time.

 

Safe computing!

[wa_desert_rat]

The Fidelis .pdf reports (http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf) is the latest decompile of the Java code that RAT's initial applications downloads.

 

This report (http://blog.idiom.ca/2015/03/alienspy-java-rat-overview.html#comment-form) has some more disassembler listings.

 

Both of them indicate that if a Virtual system is installed the RAT exits. So one simple method of protection is to mimic some of the indications of having VMWare running. In Linux you could "touch" /etc/vmware-tools because this is explicitly how RAT detects VMWare.

 

The Fidelis .pdf lists the payload that the RAT downloads from the C&C server (Command & Control). The payload they illustrate is typically for Windows. No other method is listed by anyone and the only attempt to run the RAT on a Linux box was documented here:

 

http://contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html

 

These links are in reverse order of their pulication; the Fidelis link (the .pdf) is the latest (April, 8 2015 , then the Idiom.ca blog report (March, 22, 2015) and then the Contagio blog report (November 17, 2014).

 

The RAT is a kit which can be purchased and time on the C&C server rented. The kit is illustrated in the Fidelis report and is presumably how they built their version of the RAT.

 

Because RAT is a phishing attack it has to have some cooperation from the user in order to continue its attack. The attack is in Java .jar files which are spoofed in an email link or a url link on a web page to appear to be something reasonably similar to what the user might think would be contained in the email or on the web page.

 

Spoofing a link is much easier to accomplish if the user (the person being attacked) is using Windows. The reason is that Windows will automatically execute certain file types. We all know about .exe and .com and even .bat; those are file types (like iexplore.exe) that will execute (that is, run) when you click on them. Windows sill try to execute anything with .exe, .bat or .com. But there are 50 file types that can be executed (run) on Windows. And some of them look pretty innocent.

 

Files ending in .wsc, .jar, .scf, .xls are just some of them. This link gives you a better idea: http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/

 

A hacker can hide executable code inside a .jpg file which is one reason we get so many emails containing naked_girl.jpg that turns out to be an executable file.

 

Linux has no extensions that are automatically executed. An executable file in a Linux/Unix operating system has to have an executable attribute explicitly entered in the file and the user has to have permission to execute it. Downloaded files are not given an executable attribute. So if you click on that naked-girl.jpg file in Linux all you'll get is an error. This is one major reason why phishing attacks are much less successful on Linux/Unix (and OSX) than on Windows.

 

Windows actually HIDES EXECUTABLE FILES BY DEFAULT!!! So the .txt file you think will be a note from a buddy could really be a .exe. So the link you see as naked_girls.jpg might actually be naked_girls.jpg.exe but Windows hides the extension (.exe) by default. Linux doesn't do this. Here is a link explaining it more thoroughly: http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

 

Linux does not disguise links. If you mouse over (that is, not click, but just run your mouse over) a link in Linux you can see whether it's been spoofed. Not so much in Windows.

 

But RAT's exploit downloader is a Java .jar file and in Windows a .jar file is executable (if you have a Java runtime on your machine). In Linux it's not so easy. In Linux that .jar file is more likely to simply give you an error (or try to make an archive). You have to explicitly link .jar files to the Java runtime.

 

Notice in the Fidelis .pdf the exploit starts off with a series of .jar files. Here is an excerpt:

 

PayslipDetails.jar

 

The above file is associated with an AlienSpy RAT sample of special interest to us since it was the one that received commands from the attacker to download a malicious dropper that infected the Victim system with the Citadel bot malware.

 

File information:

File Name: PayslipDetails.jar

File Size: 64001 bytes

MD5: fdb674cadfa038ff9d931e376f89f1b6

SHA1: cc0aaf0313c12d7f30ea7ed088fc1dec9ba586f0

 

 

Getting PayslipDetails.jar to run on a Linux/Unix/OSX computer would be more difficult than on a Windows computer.

 

This is why I told RV that just getting the attack to run is not so easy on Linux or Unix. You can do it, but I think you'd have to work at it.

 

WDR

[TheDuke]

wDR. So somehow you have contact with every unix user.To know thst noone run as admin?

And unix is not as Vunerable as windows is a reason to ignore possible tnreats?

And since something is hard to do is another reason to ignore threats?

 

Here is a FUD for you. Only highly qualified techs can run unix properly.

[wa_desert_rat]

wDR. So somehow you have contact with every unix user.To know thst noone run as admin?

And unix is not as Vunerable as windows is a reason to ignore possible tnreats?

And since something is hard to do is another reason to ignore threats?

 

Here is a FUD for you. Only highly qualified techs can run unix properly.

It's not impossible to run Ubuntu or Fedora as root but you have to work hard to get it to do it. With Windows it's not impossible to run as a standard user, but I've never seen anyone do that.

 

And if an exploit is presented as "cross platform" I'd like to see more evidence of that than just noticing that the source code mentions it.

 

As far as running *nix "properly" you may be right. My 83-year-old mother-in-law is a pretty sharp cookie. She moved to Linux Mint when MS stopped supporting her copy of XP.

 

WDR