Facts About Remote Access Trojans (RATs) vs AlienSpy

AlienSpy is the latest in a family of RATs which target both consumers and enterprises in a bid to steal valuable data and compromise systems.

Remote Access Trojans (RATs) never fully vanish; instead, they are often recycled and redeveloped in the changing cybersecurity landscape. These kinds of Trojans, often deployed through phishing campaigns which use spoof emails and malicious files to deliver malware payloads, can be tailored to target particular industries -- such as banking or manufacturing -- or be used indiscriminately against both consumers and businesses.

In a security advisory (.PDF) posted Thursday, security firm Fidelis said the newly-discovered AlienSpy Trojan is currently being used in international phishing campaigns against both consumers and the enterprise, although generally has been detected in campaigns based in the technology, finance, government and energy sectors.

Joining the likes of njRAT, njWorm and Houdini, the RAT's development focuses on delivery rather than core functions. However, AlienSpy does differ from its predecessors. While also similar to Frutas, Adwind and Unrecom, the security firm believes the new RAT has benefited from "unified," collaborative development. As a result, the Trojan is more sophisticated and has expanded functionality.

AlienSpy currently supports infections on Windows, Linux, Mac OSX and the Android mobile operating system. However, the Trojan also demonstrates new evasion techniques not present in past RATs.

Once deployed, the Java-based Trojan grants an attacker access and control over a compromised system. The malware is able to collect system information including OS version, RAM data and computer name, upload and deploy additional malware packages, capture webcam and microphone streams without consent, and remotely watch device activity. In addition, the Trojan includes a keylogger.

AlienSpy's additional features include a sandbox detection tool, the detection and disabling of antivirus software, and the use of Transport Layer Security (TLS) cryptographic protocols to secure its connection to the command and control (C&C) server.

"Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise. To prevent various security tools from running, this version of AlienSpy performs various registry key changes," the advisory notes. "Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections."

In the same manner as its predecessors, AlienSpy is available through various subscription models and receives continual updates from its developers. According to Fidelis, AlienSpy can be purchased for between $19.90 and $219.99.

"Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT," Fidelis says.

The security firm has also published a Yara rule to help developers identify and classify the AlienSpy malware strain.

via ZDNet

Read more »

20% of all malware ever created appeared in 2013

According to the latest PandaLabs report, malware creation hit a new milestone. In 2013 alone, cyber-criminals created and distributed 20 percent of all malware that has ever existed, with a total of 30 million new malicious strains in circulation, at an average of 82,000 per day.


Despite Trojans have continued to be the most common security threat, the company’s anti-malware laboratory has observed a wide variety of attacks, with a notable resurgence of ransomware (CryptoLocker being one of the nastiest examples).

The proportion of infected computers around the world was 31.53 percent, very similar to the 2012 figures.

Besides offering an overview of the most significant events in the computer security field, the 2013 Annual Security Report also forecasts future trends for 2014. Much of 2014’s headlines will focus on the Internet of Things (IoT) and Android devices, which will continue to be exploited by attackers to steal users’ data and money.

PandaLabs expects to see hundreds of thousands of new strains of Android-targeting malware in circulation. 2013 saw a large number of Android scams that used malicious ads in legitimate apps, and it has been estimated that last year alone cyber-criminals released more than two million new malware threats for Android.

Social media attacks also grabbed headlines. The number of account hijacking attempts rose spectacularly, affecting companies, celebrities and even politicians.

Looking at the types of malware that were created, PandaLabs identified Trojans as being the top threat, accounting for 77.11 percent of all new malware. There was a significant growth in the number of viruses in circulation, rising from 9.67 percent in 2012 to 13.30 percent in 2013. “This increase is mainly down to two particular virus families: Sality and Xpiro. The first virus family has been around a long time, whereas the second one is more recent and capable of infecting executable files on 32-bit and 64-bit systems,” said Luis Corrons, technical director of PandaLabs.

When it comes to the number of infections caused by each malware category, data gathered by Panda Security’s Collective Intelligence platform indicates that three out of every four malware infections were caused by Trojans (78.97 percent), followed by viruses (6.89 percent) and worms (5.83 percent). “It seems that cyber-criminals managed to infect more computers with Trojans in 2013 than in previous years. In 2011, Trojans accounted for 66 percent of all computer infections, whereas this percentage rose to 76 percent in 2012. This growing trend was confirmed in 2013,” said Corrons.

Malware is a global plague, but some countries are affected more than others. The countries leading the list of most infections are China, Turkey and Ecuador, with 54.03, 42.15 and 40.35 percent of infected computers respectively. Nine of the ten least infected countries are in Europe with the only exception being Japan. The ranking is topped by Scandinavian countries: Sweden (20.28 percent of infected PCs), followed by Norway (21.13 percent), and Finland (21.22 percent).

Read more »