Consolidated Marine Management’s (CMM’s) cyber security department has analysed a serious and malicious threat to the maritime industry. The Greek owner of oil and gas carriers identified a cyber threat that has targeted the maritime sector, and has assessed how it could infect a shipping company. According to CMM cyber security expert Lampis Alevizos, the AlienSpy remote access trojan (RAT) viral instrument can be considered new to the maritime community, although it has infected networks in other sectors in the past. He said an AlienSpy attack could be undetected and open networks up to hackers.
“The attack is performed via a malicious e-mail attachment, such as a Java archive [JAR], containing the AlienSpy RAT,” he said. “But it can also extend to popular office documents such as Microsoft Word and Excel, or an Adobe PDF file. AlienSpy is very powerful in the hands of an attacker.”
The AlienSpy RAT can collect system information for duplication and display this on the attacker’s controller dashboard. Some of the key features supported by the RAT are:
• a file system, process and registry explorer with the ability to view and modify
• ability to run console commands
• key logging to capture user inputs
• ability to download and execute secondary payloads
• credential theft from various browser stores
• ability to spy on victim through screenshots, webcam, microphone
• remote desktop ability with infected clients
• ability to mine various type of digital currency, such as bitcoin.
These features show how damaging an infection could be to a shipping company, and why this should be avoided. Mr Alevizos said the specific infection e-mail attachment that his department analysed was a variant of the AlienSpy hacking tool that had been hidden to prevent detection.
“We noticed that it was based on a well known variant of Java,” he explained. “By default, it can bypass a lot of antivirus engines and this one was also fuzzed [deliberately interrupted or mutated], so it had a detection rate of only three in 54 attempts.” Mr Alevizos continued: “Upon execution it silently installs an agent on the victim’s computer and from there it can monitor keystrokes, passwords, local microphone and camera use. It can gain full access to local files and network resources – all of these without being detected.” He added: “The agent is controlled remotely by attackers hidden behind anonymising mechanisms and lost within a cloud of multiple IP addresses all over the world.”
The hacking tool is hidden by a complex level of coding and devices. Mr Alevizos explained that the AlienSpy payload is obfuscated using Allatori, a legitimate commercial product for Java. This makes the code unreadable in order to evade easy detection. The payload that CMM analysed was packaged in an additional layer of obfuscation, which is not commonly seen in recent payloads for AlienSpy. “When looking at the code it became clear that it was an embedded JAR file that was loaded and executed in turn,” said Mr Alevizos. “The JAR file that was unpacked had a structure that was commonly seen in Allatori-obfuscated files. Allatori obfuscates class and variable names, making them difficult to read, and encrypts the original payload in a resource object.”
There was also an embedded PDF file in the JAR, which acted as a decoy document that was launched in the foreground as the AlienSpy payload was executed. The payload was encrypted using an RC4 algorithm encryption scheme, Mr Alevizos explained. The RC4 key was constructed from a combination of a dynamic and a static string. When CMM decrypted the AlienSpy JAR payload the cyber security experts found a wide range of features, which could be further extended through secondary plug-ins into the victim’s machine. Mr Alevizos said the configuration stored various settings, such as the remote server and port to connect to, the install paths, any security detection and registry persistence location. “The AlienSpy RAT authenticated to the remote command and control server using a connection password,” he added.
“The significance of this password to the attacker is unknown but it may serve as good reference for future attack pivots since attackers often reuse settings by habit.” Mr Alevizos concluded: “If ransomware was something new to the maritime industry, we should prepare for something much worse here.”
© 2023 Riviera Maritime Media Ltd.