The media recently reported [1] on a potential targeted cyberattack on Alberto Nisman, an Argentine prosecutor who was found dead under mysterious circumstances. The file purportedly found on his phone was reported by the Argentine media to be named “Estrictamente Secreto y Confidencial.pdf.jar”, and as discovered and reported by the researcher Marquis-Boire, a file was indeed uploaded to VirusTotal [2] with the same name. The file was uploaded from Argentina and the upload is time stamped to “2015-05-29 18:48:24”. The file is JAR (Java Archive) file and is a variant of the AlienSpy Remote Access Trojan, or RAT.
AlienSpy RAT supports multiple platforms, and payloads can be crafted for Windows, Linux, Mac OS X and Android operating systems. However, contrary to popular reporting, the JAR file may not have been intended as a payload for the prosecutor’s Android phone. Android payloads are typically APKs (Android Application Package) or native binaries compiled for ARM processors. While technically possible, it is not trivial to get JAR payloads to run on an Android operation system without installing a Java emulation engine. Instead, it is more likely that the payload was intended to be loaded on a desktop environment but may have been inadvertently downloaded on the Android phone, possibly through email or another vector.
AlienSpy payloads seen in the wild are typically obfuscated using Allatori, a commercial obfuscation product for Java that makes the code unreadable to prying eyes in order to evade easy detection. This particular payload was however packaged in an additional layer of obfuscation, which is not commonly seen in recent in-the-wild payloads for AlienSpy. The file structure of the top-level payload is shown in Figure 1.
Attacks in the digital world are often a consequence of ongoing events in the real world. It is unclear whether this attack payload has any relevance to death of Alberto Nisman, but the payload analyzed nonetheless shows how the immense capability that a malware payload provides. RATs such as AlienSpy constitute powerful surveillance tools that would enable them to observe and collect information on the communications and actions of adversaries, making them attractive to state actors and cybercriminals alike. As we continue to observe ‘crossover’ in the traditional targeting of state actors and cybercriminals, public and private organizations need to be on alert for phishing and other attacks designed to deliver RATs such as AlienSpy onto client systems.