Hackers hit financial sector with evolved WinSpy Windows and Android RAT

Security firm FireEye has uncovered a new evolved version of the notorious WinSpy remote administration tool (RAT), capable of simultaneously infiltrating Windows and Android systems.
FireEye researchers uncovered the campaign while investigating an attack on an unnamed US financial institution, they reported in a blog post.
"FireEye recently observed a targeted attack on a US-based financial institution via spear-phishing email. In the process of investigating the Windows modules for WinSpy we also discovered various Android components that can be employed to engage in surveillance of a target," read the post.
"We have found three different applications that are a part of the surveillance package. One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device."
Senior threat intelligence researcher Nart Villeneuve told V3 the combination of Android and Windows components could be used by hackers for a variety of purposes.
"The attacker has the capability to drop and run additional payloads, exfiltrate sensitive data such as account credentials and intellectual property, move laterally across the network as well as surveil the victim by enabling various connected peripherals such as webcams and microphones," he said.
"The data exfiltration component was particularly interesting in this case as the data is stored on a shared command-and-control server offered by the author of the RAT, which provides another level of deniability and anonymity for the attacker."
He added that the attack's focus on targeting both Android and Windows is atypical. "I haven't seen any other RATs that have both Windows and Android capabilities. We have seen Android RATs and Windows RATs, but not the combination of both of them," he said.
Villeneuve said the variant is being traded online and will likely be used to target European businesses in the near future. "The RAT can be purchased online, so it can be used by a variety of attackers. If the RAT's popularity increases, we could see it used in more attacks," he said.
The FireEye researchers said the attack is part of a wider shift within cybercrime communities to adjust their campaigns to target Android. "With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms," read the post.
FireEye is one of many security companies to report a marked rise in the number and sophistication of attacks targeting Android. Security firm McAfee reported detecting a spike in mobile malware levels in its McAfee Labs Threats Report: Fourth Quarter 2013 earlier in March.