AlienSpy returns as cross-platform backdoor

The AlienSpy remote access Trojan that was found last year on the cell phone of assassinated Argentinian prosecutor Alberto Nisman has now evolved into a cross-platform backdoor that affects Windows, Linux, Mac OS X, and Android operating systems.

The malware's latest incarnation, now dubbed Adwind after it was discovered by Kaspersky Lab, has also been referred to as Frutas, Unrecom, Sockrat, JSocket, jRat and KilerRat.

The malware is commercially available and has been used primarily by cyber-criminals, rather than in nation-state sponsored attacks. According to Kaspersky Lab, a Malaysian bank sent an email containing malware to banks in Singapore. The e-mail sender's IP address points to a server in Romania, although the e-mail server and account belong to a Russian company.

The malware accepts commands from a remote attacker, wrote Vitaly Kamluk, director of the firm's Asia/Pacific research and analysis team, and Alexander Gostev, chief security expert, in a Kaspersky Lab blog post. “These commands can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins,” they wrote. “A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.”

In November, Fidelis Cyber-security released a report noting that AlienSpy had morphed into JSocket, a RAT that allows attackers to control Apple and Android mobile devices.