Sunday 22 March 2015

AlienSpy Java Rat Overview


AlienSpy is a cross platform Java RAT with support for Windows, Linux and Mac systems. 
The samples I was able to analyze used a demo version of the Allatori Java Obfuscator (v5.3) which can be seen in the obfuscated method naming and Splash page shown when the malware is launched.


Allatori Name Obfuscation

Allatori Splash Screen

I won't dive into the Allatori obfuscation methods or the container in detail other than to understand how the malicious jar is encapsulated within the package.  The container has a simple structure containing two resource files (config.ini & password.ini) and four class files.


Jar Overview
Once executed the container follows a simple path to decrypt and execute the payload.
  • Init LoadStub Thread
  • Load config.ini contents
  • Spawn DecryptStub Thread
  • Create key -- Load password.ini contents and append static_key (set in LoadPassword.class)
  • Decrypt config.ini using created key 
  • Spawn LoadStubDecrypted
  • Initialize JarInputStream object from decoded config data
  • Spawn thread with decoded Jar

Unpacking the Payload

Analyzing the decryption method in the DecryptStub class shows the encryption has changed from previous versions. The payload stored in the config.ini file is encrypted using RC4 and the decrypt key is composed of the sha256 hash of a dynamic key stored in the password.ini file and a static key defined in the LoadPassword.class. 

Looking at the de-obfuscated strings in the LoadPassword class shows the static key as ALSKEOPQLFKJDUSIKSJAUIE. 

Appending Static Key
The sha256 hash is then created from the combined dynamic and static key.

key = sha256(dynamic_key + static_key)

For this sample the key is calculated using the following:

sha256('l85T4gI3' + 'ALSKEOPQLFKJDUSIKSJAUIE')


To extract the properties (config.xml) or the entire payload I've put  together a script to decode the latest version of the AlienSpy rat. 

https://github.com/idiom/IRScripts/blob/master/alienspy-decrypt.py

Once the rat is decoded we can decompile it and take a look at the layout and functionality. The decoded AlienSpy RAT has a simple layout containing a two resources config.xml & keystore.test and a collection of classes within three packages. 






Persistence

When the malware is launched it checks the INSTALL property which is populated from the config.xml resource. If the property is set to True the installation method is triggered using the following properties to generate the directory and file on the host system. 

  • JAR_FOLDER       - Name of folder to copy malware into 
  • JAR_NAME          - Name of the file
  • JAR_EXTENSION  - Extension of the file
  • JAR_REGISTRY    - Name of persistence setting

Windows

On Windows systems the malware is copied to new directory with %appdata% and a new value under the Run key is created to launch the malware. The value name is the string defined within the JAR_REGISTRY config setting and the value is the command line to launch the malware 'java -jar <path-to-jar>'. The jar path and file name is defined by the JAR_ properties described above. 




Depending if the user is a local administrator or not the value is created under the Run key in HKLM or HKCU to either infect the system or only the current user. To check if the user is an administrator the file tem.txt is created within the Windows directory and deleted. If this succeeds the Administrator Property is set to true. 



Linux

On a Linux system the jar file is copied to the hidden directory <JAR_FOLDER>  within the user's home directory and renamed to <JAR_NAME>.<JAR_EXTENSION>. The malware then creates a .desktop file within the users autostart directory ~/.config/autostart/<JAR_REGISTRY>.desktop to launch the RAT when the desktop is started.


MacOS 

Like on Linux systems the malware creates a file under a new directory <JAR_FOLDER> in the user's home. It then creates a new job within the user's Library/LaunchAgents directory com.<JAR_REGISTRY>.plist

The generated configuration file has the optional key RunAtLoad set to true; this instructs launchd to run the job once when it is loaded.  


Once the job file is created, it then runs the command "chflags hidden <JAR_FOLDER>" to set the hidden flag and hide the directory from the UI. 

Sandbox Detection

When executed AlienSpy checks if it is running within either a VirtualBox or VMWare environment. If it detects that it is running within a VM the application exits. The detection technique isn't advanced and is done by detecting files installed as part of the VM host guest tools. 

For VirtualBox this is either the file "/etc/init.d/vboxadd" in Linux or the directory "Oracle\Virtualbox Guest Additions" in Windows. If the RAT is running within a Mac environment it returns false. 


VirtualBox Detection

Similarily for VMware  this is the directory "/etc/vmware-tools" in Linux "/Library/Application Support/VMware Tools" in Mac and "VMware\VMware Tools" in Windows.

VMWare Detection


Communication 

AlienSpy uses SSL Sockets to communicate with the C2 server. The server and port are both defined within the config.xml file. 
  • DNS   - Hostname or IP address
  • PORT - TCP port 
The jar file contains a keystore resource keystore.test which is used to trust the C2 SSL certificate. Using keytool we can look at the contained certificates. 

Note: The password for the keystore is 'storepass' and is defined in utils\AlienSSLSocket.class


When examining the certificate details I was able to trace it back to a how-to post on SSLSockets and creating a keystore. 


The majority of settings for the certificate have just been directly copied from the examples in the article (keystore name, password and certificate properties). 


C2 Subscription

To subscribe to the C2 server the rat first creates and configures the SSL connection then sends 1 then sends the properties describing the host system. At this point the malware is in listening mode waiting for commands from the C2 server.  





Commands 

Once connected to the C2 server the RAT waits for a command. Commands have a simple syntax of command_id [1..10] and an optional payload for the command. 


IdPayloadDescription
1 [0] - Message Type
[1] - Option Type
[2] - Title
[3] - Message
Display Message Box
2 [0] - URL
[1] - Number of times to open the URL
Open the URL the requested number of times. Hardcoded to sleep 2s every iteration.
3 N/A Shutdown
4 N/A Restart
5 N/A Uninstall
6 N/AUpdate Offline
7 URL for update. Update Online
8 [0] - URL for download.
[1] - Extension to append to file.
Download & Execute
9 Plugin Name Run Plugin
10N/AStart Heartbeat

From what I've observed the first command after subscription is generally '10' which instructs the infected host to begin sending a heartbeat every 60 seconds.  

  • Write 1 
  • Write PINGPONG
  • Sleep 60s

The heartbeat will continue running on a separate user thread while the malware waits for the next command from the server.


Updating 

There are two commands the C2 server can send for updating infected hosts; an online update or an offline update. 

An offline update instructs the client to make another connection to the C2 server. Once the updated rat is downloaded it will call uninstall to remove the existing version then launch the updated one from the temp file. 


An online update includes a URL as the payload which instructs the RAT where to download the updated version from. A GET request is sent to the URL with the hardcoded UserAgent

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

The same process seen in the update offline is followed, the new version is downloaded into a temporary file and the client uninstalls the existing version and updates to the newly downloaded version.

Download & Execute

The server can issue the command Id 8 which instructs the client to download and execute the downloaded file. The payload for this command includes the URL to download the file from and the extension to append to the file once it is downloaded. 

Requests are made using the UserAgent: 

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Once the file is downloaded the file is passed to an opener function where it determines how to launch the downloaded file. The opener first checks if the downloaded file ends in '.jar' if it does it will generate a string 'java -jar <downloaded jar>' and execute it. 

If the malware is running on MacOS it will also append the argument -Dapple.awt.UIElement=true



If the file doesn't end in .jar the opener will use the preferred method to open files for the host OS. For Windows systems this is cmd, for Linux this is either /usr/bin/open or /usr/bin/xdg-open and for MacOs this is java.awt.Desktop.getDesktop().open



Open URL

The server can instruct clients to open a URL. The payload to this command contains the URL to open and the number of iterations. The client will then open the URL the requested number of times sleeping for 2 seconds between iterations.  

  • For MacOS it will launch the URL using:  open -a Safari <URL>
  • For Windows it will launch the URL using: cmd.exe /c START iexplore.exe <URL>
  • For Linux it will launch the URL using: /usr/bin/xdg-open <URL>  

Conclusion

Incident Responders looking for systems compromised by AlienSpy can extract host and network indicators from the properties defined in the config.xml file. Additionally systems would also be beaconing to the C2 server every 60 seconds.

AlienSpy is used to deliver other malicious payloads to infected systems. Detecting the presence of AlienSpy should be considered to be only part of the compromise.

If you have any samples, would like to collaborate feel free to reach out to me on twitter @seanmw. I'm interested in looking at how AlienSpy is being used in phishing campaigns to deliver malware.

Samples

The samples I used for the post can be found using the hashes below:
  • Sample 1: f3366d437f9461f1486406972f52e7aab47174db 
  • Sample 2: c932064fe6a7dfc96fb2a3ffec2b7f4e5b7e048f

References
  • http://contagiodump.blogspot.ca/2014/11/alienspy-java-rat-samples-and-traffic.html
  • https://developer.gnome.org/autostart-spec/
  • https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
  • https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html#//apple_ref/doc/man/5/launchd.plist

78 comments:

  1. great writeup, thanks. Would have been nice if you included the network artifacts as well.

    ReplyDelete
    Replies
    1. Hi Alexander,

      I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures.

      Delete
  2. Creating "a Run key" for persistence wouldn't necessarily do anything...creating a _value_ beneath the appropriate Run key, with data pointing to the file to be launched, does provide persistence.

    Is there anything known about the value name? Is it consistent, random every time?

    ReplyDelete
    Replies
    1. Hi Harlan,

      My bad, I should have been more descriptive (dangers of late night posting).

      I've made a update to better explain that a value is created under the run key. The value name is defined in the JAR_REGISTRY config setting which would be random. And the data is a command line to launch the jar file.

      Delete
  3. Has anyone managed to get this exploit to actually work (execute the .jar, create the subdirectories, go after the payload and drop it into place, and then execute the malware in the payload) in Linux? So far all I've seen is that the source code mentions Linux, OSX, Android, etc. But little evidence of actually working in those platforms.

    ReplyDelete
  4. I think this is an informative post and knowledgeable. Thank you for sharing this wonderful post! I’m glad that I came across your article. Java Training in Chennai

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Your info is really amazing with impressive content..Excellent blog with informative concept. Really I feel happy to see this useful blog, Thanks for sharing such a nice blog..
    If you are looking for any Data science Related information please visit our website Data science courses in Pune page!

    ReplyDelete
  7. You are the smartest, you are much louder and I hope you give me a heart zero city zombie shelter survival hack

    ReplyDelete
  8. Oh my goodness! Impressive article dude! Thank you, However I am going through problems with your RSS. I don’t know the reason why I cannot join it. Is there anybody getting the same RSS issues? Anyone that knows the solution will you kindly respond? Thanks!! asus display replacement An outstanding share! I've just forwarded this onto a colleague who has been conducting a little research on this. And he in fact bought me breakfast simply because I stumbled upon it for him... lol. So allow me to reword this.... Thank YOU for the meal!! But yeah, thanks for spending some time to talk about this matter here on your web page. onsite mobile repair bangalore After going over a few of the articles on your web page, I truly like your way of writing a blog. I saved as a favorite it to my bookmark site list and will be checking back in the near future. Please check out my web site as well and let me know what you think. huawei display repair bangalore

    ReplyDelete
  9. Greetings! Very helpful advice in this particular post! It is the little changes that produce the largest changes. Many thanks for sharing! motorola display repair bangalore Hi there! This blog post couldn’t be written much better! Looking at this post reminds me of my previous roommate! He always kept talking about this. I most certainly will send this post to him. Fairly certain he's going to have a great read. Thanks for sharing! vivo charging port replacement Howdy, I believe your web site could possibly be having web browser compatibility problems. Whenever I look at your web site in Safari, it looks fine however, when opening in I.E., it has some overlapping issues. I just wanted to give you a quick heads up! Aside from that, great blog! lg service center Bangalore

    ReplyDelete
  10. This has been discussed by many Android users, where they have found an Android Keylogger: https://www.spyic.com/android-keylogger.html which suitable for the device they are using. With it, you can then know every keyboard stroke input that the victim apply, thus making you know the password they are using.

    ReplyDelete
  11. Thank you for this article. I am sure alienspy has many benefit. Although I want to talk about this free gps phone tracker to track a cell phone location without them knowing on Clickfree. Similar to your software, this is great!

    ReplyDelete
  12. Technology has given us everything. With the help of technology anyone can steal your important data from your phone. Do you know that? But if you have best keylogger for android http://minspy.com/phone-spy/best-keylogger-for-android/ set up in your device. Therefore, you are secure enough. Anyone can't easily steal your data now. It's best to use a keylogger.

    ReplyDelete
  13. I feel so blessed with this article which able to let me learn on how to track my child's phone without them knowing: http://spyier.com/phone-tracker/track-my-childs-phone-without-them-knowing/. Thank you for this guide I am able to monitor his behavior and knowing who he is messaging with as I am so worry for his well being.

    ReplyDelete
  14. Have you ever used a keylogger for your Android device? If yes, which one? Is that one for free or paid? I would like to inform you guys about a best keylogger for android try here http://spyine.com/mobile-spy/best-keylogger-for-android/. This will help you to keep your mobile data more secure.

    ReplyDelete
  15. Great to come accross something that actually works, and at the same time is not hopelessly complicated. i really enjoy to read this content
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

    ReplyDelete
  16. Thanks a lot for sharing such a good source with all, i appreciate your efforts taken for the same. I found this worth sharing and must share this with all.

    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery









    ReplyDelete
  17. it is really a great and helpful piece of info. I am glad that you shared this helpful information with
    malaysian embassy singapore

    ReplyDelete
  18. I see that this article has been talking about how to protect the phone itself. But this guide about Android spy app by redirect to FoneMonitor on how to hack a phone which can be done easily. How can we prevent this leak of information from happening?

    ReplyDelete
  19. Just read check it out article if you want to hack Android spy app by phone number. I have tried it myself and it works brilliant. Although it can not be done in single day sometimes, you will need time for the messages to be delivered to target users.

    ReplyDelete
  20. Post is very good its amzazing post I love them thanks for sharing.
    visit here- lok sabha election comedy

    ReplyDelete
  21. We are a well-known writing service provider in Australia. If anyone looking for a genuine assignment help service provider over there, then come to us for guaranteed results.
    Assignment Help Sydney

    ReplyDelete
  22. Very well written information. It will be supportive to everyone who employess it, including yours truly. Keep up the good work - can'r wait to read more posts.
    Visit here :- Best Seo Company In India

    ReplyDelete
  23. Nice Post...Thanks..
    Best Location to Buy Real Estate in Pune.Some factor shapes many other major decisions such as: Lifestyle, Environment ,Weather, Education, Career, Social Networks.

    ReplyDelete
  24. I am really enjoying reading your well written articles. I think you spend numerous effort and time updating your blog.
    online electronics shopping sites in india

    ReplyDelete
  25. Good day! This is kind of off topic but I need some help from an established blog. Is it very hard to set up your own blog? I m not very technical but I can figure things out pretty quick. I'm thinking about setting up my own but I'm not sure where to begin. Do you have any tips or suggestions? Thanks .

    Website : Craigslist Posting Service for Car Dealers |

    ReplyDelete
  26. This is really amazing website that I have been found on google regarding website Blog Commenting sites. and I would like to thank admin who also given us to post the link on his side.

    Website : Lubbock moving company |

    ReplyDelete
  27. This was something I was looking for, really helpful, and great work is done. Thank you so much for sharing such valuable information.

    Website : Car Auction Software |

    ReplyDelete
  28. It’s really a cool and helpful piece of information. I am glad that you shared this useful information with us. Please keep us up to date like this. Thanks for sharing.

    Website : Best CRM for Small Businesses |

    ReplyDelete
  29. Communication is a two way process. If done properly, it gives excellent result. Thus opting for the best Integrated Marketing Communication Course on Talentedge is wise. To know more visit:

    ReplyDelete
  30. Visit Bharat Go Digital Academy to learn the digital marketing skills in India.

    ReplyDelete
  31. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    link

    ReplyDelete
  32. We offer everything in one place, whether it is read online web casino online casino Gamecocks online casino Siam Lotto and many others within the site ufabet wait for everyone to experience it.

    ReplyDelete
  33. Good blog,

    Digital Marketing, Digital Marketing Online Training, Digital Marketing Training Programs, Women Entrepreneurship, Women Entrepreneurship Training Programs, Digital marketing online video course, Women Entrepreneurship Online Certification Course, Business coaching, Training for Business owners, Business coaching for women, young entrepreneurs training

    https://www.eminentdigitalacademy.com

    ReplyDelete
  34. Normally I do not learn post on blogs, but I wish to say that this write-up very compelled me to take a look at and do it! Your writing taste has been amazed me. Thanks, quite great article. ยูฟ่าสล็อต

    ReplyDelete
  35. As you can see, this is the tool that I recommend to a lot of forums about VIN decoder: vinpit.com/vin-decoder/hyundai. It utilizes VIN number to check the car histories and let you know if it is right for you to purchase it or not.

    ReplyDelete
  36. Excellent post. Thank you for this fantastic artilce. Get the Azerbaijan electronic visa through online e visa application to travel to Azerbaijan. Just follow 3 steps, fill application, upload document and make online payment for Azerbaijan e visa.

    ReplyDelete
  37. youtube abone satın al
    trendyol indirim kodu
    cami avizesi
    cami avizeleri
    avize cami
    no deposit bonus forex 2021
    takipçi satın al
    takipçi satın al
    takipçi satın al
    takipcialdim.com/tiktok-takipci-satin-al/
    instagram beğeni satın al
    instagram beğeni satın al
    btcturk
    tiktok izlenme satın al
    sms onay
    youtube izlenme satın al
    no deposit bonus forex 2021
    tiktok jeton hilesi
    tiktok beğeni satın al
    binance
    takipçi satın al
    uc satın al
    sms onay
    sms onay
    tiktok takipçi satın al
    tiktok beğeni satın al
    twitter takipçi satın al
    trend topic satın al
    youtube abone satın al
    instagram beğeni satın al
    tiktok beğeni satın al
    twitter takipçi satın al
    trend topic satın al
    youtube abone satın al
    takipcialdim.com/instagram-begeni-satin-al/
    perde modelleri
    instagram takipçi satın al
    instagram takipçi satın al
    takipçi satın al
    instagram takipçi satın al

    ReplyDelete
  38. I think you should make video about it or even create youtube channel to publish your video. From here https://soclikes.com/ you can get subscribers for your channel

    ReplyDelete
  39. Thank you very much for sharing this informative article with us. I really like your way of presentation. Please keep sharing ...College essays online

    ReplyDelete
  40. Normally I do not learn post on blogs, but I wish to say that this write-up very compelled me to take a look at and do it! Your writing taste has been amazed me. homework help

    ReplyDelete
  41. You can make the video about this and post on tiktok. To promote your video I advise you to buy tiktok likes

    ReplyDelete
  42. This website was... how do you say it? Relevant!! I finally found something that helped me. You can read online info about South Africa visa requirements.The South Africa e-Visa is an electronic visa that allows entry into South Africa.

    ReplyDelete
  43. its has great idea for alienspy java rat. thanks for sharing . also checkout Kinemaster Lite

    ReplyDelete
  44. Thanks for your efforts. This is really an inspiring and helpful article. There is no need to meet the Ukraine embassy specially to get a valid Ukraine visa. You can get Ukrainian tourist e-visa in 4 working days.

    ReplyDelete
  45. Gandhi Brothers Lottery Group was founded by Mr Manmeet Singh when he was 12 years old and today
    Bumper lottery

    ReplyDelete
  46. You are an excellent writer. Nice job.evisa to India, you can apply for an online e visa to India visa through Indian visa website.

    ReplyDelete
  47. I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. hanumanchalisalyrics

    ReplyDelete
  48. Good afternoon guys, many people ask, e visa India processing time, normal visa you can get 3 to 5 working days, in urgent cases 1 to 3 days.

    ReplyDelete
  49. This is a great inspiring article.I am pretty much pleased with your good work.
    Visit here :- nift in india

    ReplyDelete
  50. Thank you for sharing such a really admire your post. Your post is great! .best furniture store Hyderabad

    ReplyDelete
  51. I appreciate you sharing this post with us. It is very informative blog. Java's versatility makes it suitable for a wide range of applications, from small embedded systems to large-scale enterprise solutions. Learning Java course in Solapur can undoubtedly open doors to numerous opportunities and pave the way for a successful career in the ever-expanding world of technology.

    ReplyDelete
  52. Indian visa online status. To track the status of your Indian visa application, you can use the Indian Visa Online website. After entering your Application ID and Passport Number, the website will provide information about the status of your visa application. You can check whether your visa has been approved and, if so, download it. Make sure to have your Application ID and Passport Number ready for this process. The processing time can vary, so please be patient while waiting for the status update.

    ReplyDelete