SECURITY EVANGELIST

The malware economy is alive and well! And cyber criminals are making big money by using this business model.

The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies.

Given that the malicious email employed to deceive victims is in English, the attackers will most likely not stop at Danish borders.

The RAT was last seen a few months ago, after having been apparently taken down in 2015. It infected almost half a million people and organizations worldwide. Now it has surfaced again, proving that cyber criminals are not ready to give up on using it.

A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses:

adwind rat detection - July 4 2016

See full detection rates on VirusTotal.


Adwind RAT – cross-platform, multifunctional and plain destructive


For those yet unfamiliar with the term, here’s a quick definition to help put things into context:

DEFINITION:
A RAT (Remote Access Trojan) is a malicious piece of software designed to infect computer systems to gain administrative access over them. RATs are often distributed through malicious email attachments, rogue software patches or cracked games.

Remote Access Trojans can disguise their presence on the system, just like Adwind is doing in these attacks with zero antivirus detection.

Once the RAT is on the system, the attackers can remotely control the PC and gather key logs, webcam feeds, capture the audio feed, take screenshots and more.

Adwind is an especially insidious threat because it’s cross-platform and can perform this wide range of functions. Successful Adwind infections give online criminals a backdoor into PCs running Windows, OS X, Linux and even Android.

In the observed attacks, the spam email carrying Adwind is delivered with the following contents:

From: [spoofed / fake return address]

Subject Line: Order – Quotation Request

Attached:
Doc-172394856.jar

The .jar file is a Java archive, demonstrating that Java is still a key liability in computer systems everywhere. If an unsuspecting user activates the archive, the malicious code will be executed promptly.

The Adwind RAT can be run on any platform that supports Java Runtime Environment.

With 16 vulnerabilities in 2016 up to now, Java is already a culprit in many attacks against users and organizations all over the world. And we’re talking about serious security issues, which allow attackers to execute code, to overflow systems and gain privileges over the compromised system.

In the observed attacks, if the Adwind code is executed, the infected computer will be immediately recruited into a botnet.

This variant of Adwind RAT is configured to communicate with the following server [sanitized]: jmcoru.alcatelupd [.] Xyz.

This specific server has also been used in other RAT campaigns. Other campaigns have also employed various dynamic DNS services, such as:

cool [.] secure network [.] host
soycraft2 [.] duia [.] pw
bfbackup [.] baepaws [.] ru
loudpack101 [.] ddns [.] net
league [.] runescape [.] csgo [.] silicone routing [.] pw
airzwcvzq [.] nullroute [.] pw
manbks123 [.] ddns [.] net
machination [.] xinvasion [.] xyz
zarasrl2016 [.] ddns [.] net
airzwcvzq [.] nullroute [.] pw

The domains listed above and many others are all part of a wave of persistent attacks against a number of commercial and non-commercial organizations. Adwind has often been related to refined APT campaigns, so it’s no surprise that we should find this RAT in this context.

The objective of these type of attacks is always dual: to exfiltrate data from the compromised organizations and to open a backdoor which allows attackers to feed more malware into the affected machines.

As far as protection measures go, the recommended approach is to always build your data security in layers. Try to set up multiple levels of defenses, so cyber attacks can be stopped or mitigated at each of these levels.


Conclusion


We’ve seen it in ransomware attacks and it seems to be catching on in other malware campaigns as well. We’re talking about a new, more agile way to launch cyber attacks.

Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike.

Avoiding large-scale campaigns also means thay have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them.

The months spent between these resurges od Adwind could also signal that attackers are taking their time to prepare their strikes, to maximize their chances for success.

Surely, by the end of the year, we will be able to see if this tendency gains traction in the cyber criminal community. Unfortunately, we will probably have plenty of cyber attacks to analyse and draw conclusions from.

* This article features cyber intelligence provided by CSIS Security Group researchers.

Security Alert- GootKit and Godzilla Infostealers
2016.12.28 QUICK READ

Security Alert: GootKit and Godzilla Infostealers Target Victims’ Financial Information

banking infostealer in Dridex malware
2015.06.26 INTERMEDIATE READ

Security Alert: New spam run spreads banking infostealer in Dridex malware class [UPDATED]

The Malware Economy
2015.06.23 QUICK READ

The Malware Economy

Comments

I fell for this trick, and downloaded a .jar file on my nexus6p from a Fedex email attachment, but it ended up not opening. Did the Java Adwind end up not running because my android device does not have java? Or should I wipe my device to be safe?

Hi Al! Android does, in fact, include Java and can also run Java files, so the best thing you could do is wipe your phone and do a clean reinstall of your apps. Also, I recommend you read this security guide and follow the steps inside to increase your smartphone protection: https://heimdalsecurity.com/blog/smartphone-security-guide-keep-your-phone-data-safe/

This article is informative and it routed me to a very important resource : How to Protect Your PC with Multiple Layers of Security.

[…] colleague referred me to an article on a piece of cross-platform malware, called Adwind RAT (short for “remote access tool”), that was going […]

[…] July alone, researchers spotted Adwind involved in multiple targeted attack campaigns aimed at Danish […]

[…]  数年前から開発が続けられ、2016年中旬頃から「Adwind RAT(Remote Access Tool)」として再流行しているユーザーの情報を盗み出すクロスプラットフォーム対応のマルウェアが、Macにも影響を及ぼす様になっていたと米Malwarebytesの主任研究員Thomas Reedさんがレポートしています。 […]

[…] colleague referred me to an article on a piece of cross-platform malware, called Adwind RAT (short for “remote access tool”), that was going […]

[…] szczegółów znajdziecie na stronie badacza. Jednocześnie informujemy, że aby chronić swoje urządzenia, nigdy nie należy pobierać […]

[…] a blog post, Andra Zaharia of Heimdal Security revealed that cybercriminals are sending malicious emails to […]

[…] a blog post, Andra Zaharia of Heimdal Security revealed that cybercriminals are sending malicious emails to […]

[…] a blog post, Andra Zaharia of Heimdal Security revealed that cybercriminals are sending malicious emails […]

[…] Security Alert: Adwind RAT Spotted In Targeted Attacks With Zero AV Detection. “The RAT was last seen a few months ago, after having been apparently taken down in 2015. It infected almost half a million people and organizations worldwide. Now it has surfaced again, proving that cyber criminals are not ready to give up on using it. A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses.” (Source: Heimdal Security’s Blog) […]

[…] bad guys were quite busy last weekend, so on Monday we reported that the Adwind Remote Access Trojan resurfaced in a campaign which went on for quite a while without being detected by […]

[…] been spotted over the weekend in several targeted attacks against Danish companies.” states a blog post published by Heimdal […]

[…] “Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike,” Heimdal’s Andra Zaharia explains. […]

[…] been spotted over the weekend in several targeted attacks against Danish companies.” states a blog post published by Heimdal […]

[…] been spotted over the weekend in several targeted attacks against Danish companies.” states a blog post published by Heimdal […]

[…] been spotted over the weekend in several targeted attacks against Danish companies.” states a blog post published by Heimdal […]

[…] "Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike," Heimdal's Andra Zaharia explains. […]

Hi

So what should I do to protect my company against this Trojan ?

Hi Anna! The best approach is to build a system that includes multiple layers of protection. We explained how to do this in this step-by-step guide: https://heimdalsecurity.com/blog/protect-your-pc-multiple-layers-security/

I hope you’ll find it useful!

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP