The malware economy is alive and well! And cyber criminals are making big money by using this business model.
The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies.
Given that the malicious email employed to deceive victims is in English, the attackers will most likely not stop at Danish borders.
The RAT was last seen a few months ago, after having been apparently taken down in 2015. It infected almost half a million people and organizationsworldwide. Now it has surfaced again, proving that cyber criminals are not ready to give up on using it.
A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses:
See full detection rates on VirusTotal.
Adwind RAT – cross-platform, multifunctional and plain destructive
For those yet unfamiliar with the term, here’s a quick definition to help put things into context:
A RAT (Remote Access Trojan) is a malicious piece of software designed to infect computer systems to gain administrative access over them. RATs are often distributed through malicious email attachments, rogue software patches or cracked games.Remote Access Trojans can disguise their presence on the system
, just like Adwind is doing in these attacks with zero antivirus detection.
Once the RAT is on the system, the attackers can remotely control the PC and gather key logs, webcam feeds, capture the audio feed, take screenshots and more.
Adwind is an especially insidious threat because it’s cross-platform and can perform this wide range of functions. Successful Adwind infections give online criminals a backdoor into PCs running Windows, OS X, Linux and even Android.
In the observed attacks, the spam email carrying Adwind is delivered with the following contents:
From: [spoofed / fake return address]
Subject Line: Order – Quotation Request
The .jar file is a Java archive, demonstrating that Java is still a key liability in computer systems everywhere. If an unsuspecting user activates the archive, the malicious code will be executed promptly.
The Adwind RAT can be run on any platform that supports Java Runtime Environment.
With 16 vulnerabilities in 2016 up to now, Java is already a culprit in many attacks against users and organizations all over the world. And we’re talking about serious security issues, which allow attackers to execute code, to overflow systems and gain privileges over the compromised system.
In the observed attacks, if the Adwind code is executed, the infected computer will be immediately recruited into a botnet.
This variant of Adwind RAT is configured to communicate with the following server [sanitized]: jmcoru.alcatelupd [.] Xyz.
This specific server has also been used in other RAT campaigns. Other campaigns have also employed various dynamic DNS services, such as:
cool [.] secure network [.] host
soycraft2 [.] duia [.] pw
bfbackup [.] baepaws [.] ru
loudpack101 [.] ddns [.] net
league [.] runescape [.] csgo [.] silicone routing [.] pw
airzwcvzq [.] nullroute [.] pw
manbks123 [.] ddns [.] net
machination [.] xinvasion [.] xyz
zarasrl2016 [.] ddns [.] net
airzwcvzq [.] nullroute [.] pw
The domains listed above and many others are all part of a wave of persistent attacks against a number of commercial and non-commercial organizations. Adwind has often been related to refined APT campaigns, so it’s no surprise that we should find this RAT in this context.
The objective of these type of attacks is always dual: to exfiltrate data from the compromised organizations and to open a backdoor which allows attackers to feed more malware into the affected machines.