Adwind RAT is back, crooks are targeting Aerospace industries in many countries

Share this…

Security experts at TrendMicro discovered that the notorious Adwind RAT has resurfaced targeting enterprises in the Aerospace industries worldwide.

Crooks are even more opportunists, they continually innovate their TTPs to maximize their profits to target the largest number of victims.


Security experts at TrendMicro have discovered that the notorious Adwind RAT has resurfaced and cyber criminals are using it to target businesses in the aerospace industry in several countries.
Adwind is a cross-platform Remote Access Trojan written in Java, it was detected recently in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US.
The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is a cross-platform RAT, it is able to infect all the major operating systems, including Windows, Mac, Linux, and Android.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Malware researchers from Trend Micro observed a spike in the number of Adwind infections in June 2017, an increase of 107 percent compared to the previous month.

“Unsurprisingly we saw it resurface in another spam campaign. This time, however, it’s mainly targeting enterprises in the aerospace industry, with Switzerland, Ukraine, Austria, and the US the most affected countries.” states the analysis published by Trend Micro.
“the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware.”
Adwind spam campaign

The Adwind RAT implements many features, including stealing credentials, keylogging, taking screenshots and pictures, data gathering and data exfiltration.

The malicious campaign was noticed on two different waves, the first one on June 7 and used a link to divert victims to a .NET-written malware equipped with spyware capabilities, while the second one on June 14 and crooks used different domains hosting their malware and C&C servers.

Both attacks leveraged spam emails that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.

Once infected, the malicious code gathers information on the victims, including the list of installed antivirus and firewall applications.

“Based on jRAT-wrapper’s import header, it appears to have the capability to check for the infected system’s internet access.” continues the analysis. “It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions.”

Considering that the main infection vector for the Adwind RAT are spam messages, users have to be suspicious of unsolicited messages containing documents or links. Never open a document or click on links inside those emails if you haven’t verified the source.