AlienSpy RAT strikes over 400,000 victims worldwide

Otherwise known as Adwind, the malware-as-a-service platform is still actively attacking both individuals and businesses.
Written by Charlie Osborne, Contributing Writer
Charlie Osborne | ZDNet

TENERIFE, SPAIN: The notorious AlienSpy RAT has launched attacks against at least 400,000 corporate and private targets in the financial, government, education and engineering sectors worldwide, researchers have warned.

On Monday, Kaspersky researchers Vitaly Kamluk and Aleks Gostev from the firm's Global Research team told attendees at the Kaspersky Security Analyst Summit in Tenerife, Spain that Adwind is actively pursuing targets internationally in the quest for information and surveillance data.

Also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, Adwind is a Remote Access Tool (RAT) based on Java which is distributed as a single malware-as-a-service platform.

According to Kaspersky, the Trojan has been used in attacks against at least 443,000 users and businesses worldwide between 2013 and 2016 -- and remains active today. As a cross-platform threat, the pool of potential victims is endless.

The RAT is sent as a payload to potential victim machines via phishing campaigns. If a victim opens an email attachment loaded as a malicious AlienSpy JAR file, the malware installs itself on the PC and attempts to communicate with the operator's command and control (C&C) server for additional instructions.

The malware is able to collect keystrokes, steal cached passwords and data submitted through Web forms, take screenshots and pictures, as well as record video and sound. In addition, Adwind is able to transfer files without a victim's consent, collect general system information and VPN certificates, manage SMS systems in Android-based operating systems and steal the keys required to access cryptocurrency wallets holding funds such as Bitcoin.

It can even facilitate the option for an attacker to chat with a victim.

According to security firm Fidelis, AlienSpy may have benefitted from collaborative development which has resulted in the RAT's expansive weapon arsenal and functionality.

While the malware is usually spotted in spam campaigns sent to the general public en masse, there are cases where Adwind is found in attacks based on specific victims. In August last year, the Trojan was linked to the suspicious death of Argentinian prosecutor Alberto Nisman.

Gostev commented:

"The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cybercrime.

What we can say based on our investigation of the attack against the Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform's "clients" have that level of computer education. That is a worrisome trend."

The malware was found on the prosecutor's smartphone at the time of his death, just before Nisman was due to release a report condemning the Argentine government for allegedly covering up a terrorist attack against a Jewish community center. In addition, a Singaporean bank was also specifically targeted through a spear phishing campaign utilizing the malware.

See also: AlienSpy: Taking Remote Access Trojans to the next level

Kaspersky says the RAT's targets are widespread and include players in the manufacturing, finance, engineering, design, retail, government, shipping and telecom sectors. In addition, AlienSpy has been spotted in campaigns against businesses in the education, software, healthcare, energy, media and food production industries.

Almost half of the RAT's victims were based in the United Arab Emirates, Germany, India, US, Italy, Russia, Vietnam, Hong Kong, Turkey and Taiwan.


As the Trojan is software users must pay for, Kaspersky believes most of the malware's users -- of which there are at least 1,800 -- are either scammers looking to upscale their campaigns with advanced tools, competitors looking for an edge against other companies and private users who want to use the RAT to spy on other people they personally know.

It is believed that subscriptions for the software generate an annual income of approximately $200,000.

Unfortunately, Kaspersky doesn't believe the platform will go away anytime soon, thanks to the user base, subscription model and profitability. Kamluk said:

"It's internationally recognized and we should expect that if it should go down, it will be rebranded as something else. [..] We should also expect cross platform RATs to become standard."

Disclaimer: Kaspersky Labs sponsored the trip to the summit in Tenerife, Spain.

10 things you didn't know about the Dark Web

Editorial standards