Adwind RAT Affects Macs, but It’s Almost Useless

Share this…

Adwind author still has a lot of work ahead of him. Security researchers have observed an instance of the Adwind RAT dropping a Mac payload for the first time, but despite the crook’s best efforts, in any normal circumstances, the payload would have rarely manage to infect any Mac users.

Adwind is a remote access trojan (RAT) that has appeared at the start of the 2010s, and has been advertised under several names such as Frutas RAT, Unrecom RAT, AlineSpy, and most recently JSocket RAT.

This malware is written in Java, and as such, has the capability of infecting all major operating systems where Java is supported, such as Windows, Mac, Linux, and Android.

Adwind RAT dropping malicious JAR file on Macs

Until now, Adwind infections have been spotted numerous times on Windows and Android devices, with Mac and Linux being nothing more than a theoretical capability.

Researchers from Malwarebytes have discovered a recent version of the Adwind RAT, distributed as part of a malware distribution campaign that was spotted at the start of the month, which actually dropped a Mac-specific payload when infecting Mac devices.

Until now, researchers that run Adwind malware on Mac systems would often receive Windows-specific malware, which was incapable of causing any damage to Mac users.

Mac payload added a rogue launch agent

This time around, Malwarebytes’ team says the JAR file received as spam, when executed, added a new launch agent to the Mac that executed a binary from a hidden folder, which in one case even started the researcher’s Web camera.

Outside snooping on your camera, Adwind has even more potentially dangerous features, such as the capability to download and install software, steal passwords, take screenshots of the user’s screen, and upload stolen files to a server.

Despite all these scary features, Mac users are generally safe, according to Malwarebytes researcher Thomas Reed. “Adwind is, overall, a fairly weak effort on the Mac,” he says.

In order to infect a victim, the researcher highlighted a few details that would make an Adwind infection on Macs a very improbable event.

Despite payload, infection would never ocurr in a real-world scenario

First, the researcher highlighted that the user would have to have had Java installed to run the JAR file he received via email. Apple stopped including Java with OS X a few years back, and very few users still have this app installed on their computers.

This meant the user had to specifically download and install Java, which the researcher said is not a trivial task, mainly due to Oracle’s complicated website.

After installing Java, launching the JAR file would trigger a GateKeeper warning, which the user would have to bypass via a complicated process. The warning would appear because the JAR file was not signed by a valid digital certificate.

If the user was so careless to carry out all these improbable operations, he would immediately detect something suspicious, because as soon as the user executed the file, a quick terminal would flash in front of his eyes, and then nothing else. No fake document, no fake app GUI, nothing. This would immediately raise red flags with any user paying enough attention to his screen, which would then scan the system for malicious content or notify his system administrator.

So in spite of the fact that Adwind may be a cross-platform malware and it may now be dropping Mac payloads, Adwind creators need to put a lot of work in modifying their infection mechanism if they ever want to really target and hijack Mac systems.

GateKeeper warning shown when the user tries to run the JAR file

GateKeeper warning shown when the user tries to run the JAR file