Security experts at TrendMicro discovered that the notorious Adwind RAT has resurfaced targeting enterprises in the Aerospace industries worldwide.
Crooks are even more opportunists, they continually innovate their TTPs to maximize their profits to target the largest number of victims.
Adwind is a cross-platform RAT, it is able to infect all the major operating systems, including Windows, Mac, Linux, and Android.
Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).
Malware researchers from Trend Micro observed a spike in the number of Adwind infections in June 2017, an increase of 107 percent compared to the previous month.
The Adwind RAT implements many features, including stealing credentials, keylogging, taking screenshots and pictures, data gathering and data exfiltration.
The malicious campaign was noticed on two different waves, the first one on June 7 and used a link to divert victims to a .NET-written malware equipped with spyware capabilities, while the second one on June 14 and crooks used different domains hosting their malware and C&C servers.
Both attacks leveraged spam emails that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.
Once infected, the malicious code gathers information on the victims, including the list of installed antivirus and firewall applications.
“Based on jRAT-wrapper’s import header, it appears to have the capability to check for the infected system’s internet access.” continues the analysis. “It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions.”
Considering that the main infection vector for the Adwind RAT are spam messages, users have to be suspicious of unsolicited messages containing documents or links. Never open a document or click on links inside those emails if you haven’t verified the source.