FireEye discovered Android spying components in Winspy RAT

Pierluigi Paganini March 20, 2014

FireEye experts investigating on a spear-phishing campaign on an US-based financial institution discovered that common WinSpy RAT was adapted to hit Android devices.

FireEye Security Researchers have recently identified a new variant of Winspy RAT that can infect users’ PC and also their Android Devices during synchronization operationsWe have a long discussed about the increment for criminal activities against mobile industry, principal security firms are observing a significant rise in the number of mobile malware and a growth of the offer of tools and services in the criminal underground to hit mobile platforms. The Android platform is a privileged target due its market share, criminals are designing new agents to hit mobile industry, let’s think of the recent discovery of the HTTP Android Remote administration tools Dendroid and AndroRAT.

The recent surge in Android-based RATs such as Dendroid and AndroRAT shows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem,” reported FireEye.

This time FireEye researchers, during an investigation of a targeted attack on an US based financial institution, have discovered a new version of Windows Remote Access Trojan (RAT) dubbed Win-Spy Software Pro v16.  The attackers have conducted a spear phishing campaign using the Windows RAT WinSpy, the malware was hidden in macro documents sent to the victims.

WinSpy FireEye

FireEye recently observed a targeted attack on a U.S.-based financial institution via a spear-phishing email. The payload used in this campaign is a tool called WinSpy, which is sold by the author as a spying and monitoring tool. The features in this tool resemble that of many other off-the-shelf RATs (Remote Administration Tools) available today. We also observed a second campaign by a different attacker where the WinSpy payload was implanted in macro documents to attack various other targets in what appears to be a spam campaign.” reports FireEye.

During the investigation FireEye team has observed a second campaign conducted by a different attacker that presented an alarming feature, the WinSpy payload includes Android spying components, which has been dubbed GimmeRat, to control the victim’s device remotely.

GimmeRat allows the attackers to control the infected mobile via SMSs, or alternatively through a Windows-based controller. WinSpy is a Windows monitoring tool designed for home users, the variant detected by FireEye includes further features like remote administration capabilities that make it adapt to infiltrate a target or organization.

“This tool also adds another layer of anonymity for the attacker by using the default command-and-control server provided as part of the WinSpy package.” “The command-and-control (CnC) infrastructure used in the attack against the financial institution is owned and controlled by author of WinSpy. This does not necessarily mean the author is behind attack as the author provides the use of his server for command and control as well as to store the victim data as the default option in the WinSpy package.”reports FireEye on his blog.


WinSpy android-windows-malware

The infection of Android device happens once connected the handset to the computer,  Winspy uses a command line tool called Android Debug Bridge (ADB), that allows the Windows malware to execute commands on the Android platform. The Android Debug Bridge is a legitimate tool included in the Android software development kit (SDK), when victim connect an Android device having USB debugging Mode enabled, it launches installation process and infect the Smartphone dropping the Android Malware. Once the Android malware has infected the device, it installs an app that will appear as a Google App Store.

Symantec experts early 2014 came across a Windows malicious code that attempts to infect connected Android devices serving an Android malware in a quite similar way.

The FireEye researchers identified three different applications that are part of the Android surveillance package, attackers could trace victims’ GPS position, log keystrokes, grab screenshots of victims’ devices, capture text messages, open a backdoor for remote commands, and of course could steal data and send it back to a remote Command-and-Control server. 

We have found three different applications that are a part of the surveillance package. One of the applications requires commandeering via a window controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device,” wrote the researchers.

What to expect from the future?

The mobile industry will continue to attract cyber criminals and state-sponsored hackers that demand RATs for financially motivated attacks or surveillance it’s just the beginning, someone may already be in possession of your Android.

Pierluigi Paganini

(Security Affairs –  FireEye, WinSpy)

you might also like

leave a comment