Contributor: Roberto Sponchioni
Symantec Security Response has recently come across a new remote access tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.
Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker
Real time desktop monitoring
Backdoor.Alusins allows an attacker to view the victim’s desktop and monitor user activity in real time.
Figure 2. Desktop view of compromised computer
It can also monitor and capture real time webcam activity.
Figure 3. Webcam session
Backdoor.Alusins also has the ability to monitor keystrokes on a compromised computer in real time in order to steal information, such as login credentials.
Figure 4. Keylogger
The RAT allows an attacker to communicate directly with the victim by using a series of customizable system error messages. This messaging feature has the potential for great mischief or remote harassment. The attacker could, at any time, send annoying messages or popups to the victim while at the same time, observing the user’s reactions through the webcam. It’s possible that whoever created this tool, had online interactive scams in mind when creating this feature.
Figure 5. Custom error messages that can be displayed on compromised computer
Additionally, Backdoor.Alusins allows an attacker to perform the following actions on a compromised computer:
- Monitor processes
- Open Web pages
- Open and close the optical drive
- End sessions
- View installed programs
- View all services
- Download and execute files
- Connect to a remote host to receive commands
- View the Windows registry
- Retrieve the type and version of installed firewall
- Retrieve the type and version of installed antivirus software
- Exfiltrate system information such as computer name, user name, IP address, operating system version, and language
- Retrieve a list of processes (PID and associated process name)
- Send emails using specified user names and passwords
- Steal user names and passwords for Pidgin and Filezilla
- View or end system processes
This threat is a low prevalence remote access tool that is targeted at, but not limited to, the Spanish hacker base. Symantec detects the back door builder and the back door as Backdoor.Alusins.
To stay protected against this remote access tool and other threats it is essential that users keep their antivirus definitions, operating system, and software up-to-date.