Malicious attachment contains Adwind cross-platform remote access Trojan. Cybercriminals are using clickbait, promising a video showing Democratic Party presidential nominee Hillary Clinton exchanging money with an ISIS leader, in order to distribute malicious spam emails.
Figure 1. Malicious spam using Hillary Clinton as clickbait
The email’s subject announces “Clinton Deal ISIS Leader caught on Video,” however there is no video contained in the email, just malware. Adding to the enticement, the email body also discusses voting, asking recipients to “decide on who to vote [for]” after watching the non-existent clip. The spam email signs off with the name of an unknown group called “Lets Save America” and a #letssaveUSA hashtag. We found references to this hashtag on Twitter in 2013, but it appears unrelated.
Adwind Java RAT
Attached to the email is a .zip file containing a malicious Java file. If executed, the recipient is infected with a Java remote access Trojan (RAT) Symantec detects as Backdoor.Adwind. We also observed two Visual Basic Script (VBS) files dropped by the malware that allow it to determine which antivirus and firewall software may be running on the compromised computer.
Adwind attempts to connect to windows8pc.space, a command and control (C&C) server to download and execute additional files. This server was unresponsive at the time of this publication.
The Adwind RAT is multi-functional and cross-platform, making it possible to infect Windows, Mac, Linux, and Android operating systems.
Unsurprising distribution results
As you would expect, with 85 percent of recipients, the primary target for these malicious spam messages is the United States. We also observed a smaller amount delivered to the United Kingdom, Canada, and Mexico.
Figure 2. Malicious spam distribution
United States election makes for valuable bait
As with most major events, the US election serves as valuable bait for malicious spam activity. With less than 90 days to go until Election Day, we advise everyone to keep an eye out for suspicious emails that may use either presidential candidate, Hillary Clinton or Donald Trump, as bait.