Win-Spy is a commercial off-the-shelf (COTS) stealth monitoring tool. "Start Spying on any PC or Phone within the Next 5 minutes," says its website. With such products generally available, why should hackers go to the trouble of developing their own RATs? Indeed, according to a FireEye analysis following an attempted intrusion on a US financial institution, they don't.
The legitimate purpose of Win-Spy is to allow users to monitor their computers remotely while away, or to keep tabs on their young children. The less legitimate purpose allows parties to spy on spouses or partners. But an illegitimate purpose allows hackers to use a ready-made remote access trojan (RAT) for espionage and data theft purposes.
We "recently observed a targeted attack on an US based financial institution via spear phishing email," reports FireEye in a new blogposted today. "The payload used in this campaign is a tool called WinSpy, which is sold by the author as a spying and monitoring tool." In fact, the Win-Spy author also provided the C&C infrastructure for the attack. While stressing that it doesn't implicate the author in the attack, FireEye notes, "This feature allowing shared command and control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker."
All the hacker needs to do is find the exploit that will allow him to install a ready-made and openly advertised trojan and C&C infrastructure.
But what surprised FireEye was not the use of COTS software by malicious attackers, but that on analyzing Win-Spy the researchers found Android components. This should perhaps not have been too much of a surprise since the Win-Spy website advertises "Android Monitoring Features," and shows a series of screenshots detailing a wide range of options (SIM card undelete, remote viewer, keylog, remote downloads, chatroom info and more).
FireEye's concern, however, is that it is further evidence of the growth of malicious interest in mobile devices and mobile surveillance. "The recent surge in Android-based RATs such as Dendroid and AndroRATshows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem."
It notes that the Android components (which it has dubbed GimmeRAT) can be controlled remotely by a simplistic Windows-based controller, or via SMS-delivered commands from another mobile device. FireEye suspects that the emergence of GimmeRAT is simply symptomatic of the new age. "With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms. We will continue to see more implementations of RATs and payloads to support multiple platforms and attackers will continue to take advantage of these new attack surfaces to infiltrate their targets."