Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Entrepreneurial RATs: AlienSpy and TaaS (Trojans as a Service)

When I wrote about Remote Access Trojans (RATs), I thought they were like the mousetraps of the hacking world — it’s hard to improve on. RATs let hackers get a...
Michael Buckbee
2 min read
Published February 17, 2016
Last updated October 14, 2022

When I wrote about Remote Access Trojans (RATs), I thought they were like the mousetraps of the hacking world — it’s hard to improve on.

RATs let hackers get a foothold on a target system. Once the client-side payload has been installed (via phishing), the RAT operator can view and download files, upload additional malware, launch apps, and pop shells.

Want to learn ransomware basics and earn a CPE credit? Try our free course.

By listening on port 80 on the hacker’s C2 server, the RAT can hide its network traffic so that it appears as a vanilla web interaction. Additional stealthiness comes from other built-in anti-forensics.

In short: they’re hard to detect.

More evolved RATs, such as KilerRAT, go beyond these basic features. They can have embedded functions to log keystrokes, access a laptop camera, or directly manipulate Windows registry entries.

Sure, they have more hack bling, but at its core, even newer RATS act a lot like the first gens I wrote about in my pen-testing series.

AdWind, AlienSpy & Co. change the game

A better kind of RAT has emerged from an evil hack laboratory. It’s called AdWind, and it represents the king RAT of a trojan pedigree.

The folks at Kaspersky who track these critters say that Adwind was released in 2013.

This RAT is very interesting because you don’t necessarily have to purchase the software.

(By the way, you have to get used to the idea that RATs and other malware are sold like ordinary software on the Interweb.)

With Adwind, the malware is hosted in the cloud, and hackers pay a monthly fee. They can dynamically add on features, and pick their own targets through phishmail campaigns. In this model, the wannabe and newbie hackers don’t even have to bother with an installation — it’s all done for them.

The business minds behind this Trojan as a Service are, if anything, entrepreneurial.

Adwind also adds an interesting twist: it’s OS independent since it’s written in Java. It runs on Windows, Linux, or any platform that has a Java runtime environment. The phishmail containing the payload is really a JAR file.

The malware scene is a fluid one with product name changes and new features being added all the time.

At some point in 2015, AlienSpy was introduced as a better version of Adwind. This latest-and-greatest RAT has improved abilities to detect and disable anti-virus software — it can even turn off Windows UAC.

It also uses Allatori, a commercial Java obfuscator, which makes it very difficult to reverse-engineer the code. In other words, the hackers are protecting their intellectual property.

Son of AlienSpy

AlienSpy and its predecessor have been quite successful. According to Kaspersky, its various versions have infected over 400,000 systems worldwide.

Finally, to make this all very confusing, AlienSpy was recently rebranded because of all the attention and analysis it received. It’s now known as JSocket, and it’s reported to have improved self-encryption so it’s even harder to analyze.

Are you thinking what we’re thinking?

There’ll always be a new threat that can’t immediately be detected. Like their fuzzy counterparts, RATs are just part of the landscape.

RATS! Deal with them by reframing your security approach by working from the inside out. Learn more.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

dnsmessenger:-2017's-most-beloved-remote-access-trojan-(rat)
DNSMessenger: 2017's Most Beloved Remote Access Trojan (RAT)
I’ve written a lot about Remote Access Trojans (RATs) over the last few years. So I didn’t think there was that much innovation in this classic hacker software utility. RATs, of...
covid-19-threat-update-#5
COVID-19 Threat Update #5
The race to enable remote work sent IT and security teams into high gear — and often resulted in shortcuts that exposed organizations to incredible risk in the process. Hackers...
what-is-red-teaming?-methodology-&-tools
What is Red Teaming? Methodology & Tools
Red teaming simulates real-world hacks on your organization’s data and networks and spotlight vulnerabilities that help organizations strengthen security.
threat-update-#25---helloransomware:-a-look-at-the-cd-projekt-red-attack
Threat Update #25 - HelloRansomware: A Look at the CD Projekt Red Attack
Love hacking in Cyberpunk? So do we! What about in real life? Not so much! Join Kilian Englert and Ryan O’Boyle from the Varonis Incident Response team as they discuss...