Security Alert: Spam Campaign Spreads Adwind RAT variant, Targeting Computer Systems
Here’s how this malicious JBifrost RAT gets undetected by antivirus solutions
The malware economy is still alive and well. Cybercriminals continue to turn their attention to more targeted attacks with a smaller infrastructure to carry out. Phishing emails remain a preferred attack vector for malicious actors focused on getting access to users’ valuable data.
Security researchers recently saw and analyzed a targeted spam campaign in which cybercriminals try to lure victims into clicking on a malicious link.
In the observed attack, the spam email is carried with the following content:
From: [Spoof / Forwarded Sender Address]
payment swift copy-USD-39,814-15
Content (sanitized for your own protection):
Please find herewith the attached file of payment swift copy-USD-39,814-15. Please acknowledge receipt it.
https: //www.dropbox [.] com / s / 6etniblieaywcpm / PAYMENT% 20SWIFT% 20COPY_Parimex% 20USD_39% 2C814-15_pdf.zip? dl = 3D1 “
If the users click on the link pointing to Dropbox and activate the archive, they will receive a malicious zip file containing the following content: “PAYMENT SWIFT COPY_Parimex USD_39,814-15_pdf.jar”
A JAR (Java ARchive) is actually a ZIP file used by the Java Runtime Environment (JRE) framework to execute Java programs.
JBiFrost is an Adwind RAT version that has been rebranded by the malicious actors behind it and made its appearance to the malware market in 2016.
This variant of RAT is configured to communicate with the following C & C server on this domain (sanitized for your safety) vvrhhhnaijyj6s2m.onion [.] Top. With the help of a RAT, attackers can remotely access the file system to read, write or delete files.
The objective of this type of attack can be to exfiltrate data from compromised systems and to open a backdoor which lets online criminals to feed more malware into the targeted machines.
According to VirusTotal, only 17 antivirus products out of 61 have managed to detect this spam campaign at the time we write this security alert.
How to prevent being infected with Adwind RAT
This type of malware can evade detection in the first place, so it’s essential to take all the security measures needed to keep your data safe.
- Keep your operating system, including all your apps and software programs, up to date, because it’s the first place where malicious actors can exploit vulnerabilities.
- Once again, we remind you: DO NOT open emails or click on files/attachments that look suspicious to you;
- Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Use this guide to learn how to do it;
- Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
- It would be safer to add multiple layers of protection and use a proactive cybersecurity software solution;
- Prevention is the best cure, so learning as much as possible about how to easily detect spam emails is always the right mindset. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.
*This article features cyber intelligence provided by CSIS Security Group researchers.