Adwind remote access Trojan makes a comeback and it’s got smarter

Share this…

The Adwind cross-platform, malware-as-a-service Trojan has been around since 2012. Spread by phishing emails claiming to be invoices, purchase orders, and requests for quotations, it’s aimed at high value targets like finance departments.

While it never completely disappeared in recent years the number of attacks did die down. However, security awareness training company KnowBe4 has noted an upsurge in Adwind emails during October of this year.

“In early October we noticed an uptick in the number of phishing emails reported by customers that were sporting .JAR (Java) attachments — a hallmark of Adwind/AlienSpy,” says Stu Sjouwerman, CEO of KnowBe4. “Occasional upticks in certain threats are nothing remarkable as various malware gangs experiment with new phishing campaigns, changing up their usual menu to temporarily begin pushing different types of malware. By mid-October it had become apparent that this minor uptick had taken on legs, with an ever-increasing number of poisonous emails being forwarded to us by customers.”

KnowBe4 has taken a closer look and finds that the Trojan has undergone considerable development. The latest Java files have doubled in size and contain new functionality including sandbox detection, the detection; disabling and killing of various antivirus and security tools, TLS protected command-and-control, and anti-reverse engineering and debugging protection.

ATM malware: Gang behind Euro attacks targeted in police swoops

The latest version also packs an array of data gathering tools including, the collection of system information (IP, OS version, memory information, Java version, computer name, etc), capturing webcam and microphone traffic without user notification, a file manager to allow access to files in the context of the current user, and browser password theft among others.

“Adwind and its several variants are designed primarily to surreptitiously collect and securely exfiltrate data from compromised boxes, including emails, files, credentials, and virtually anything else that can be vacuumed up via the malware’s embedded tools,” adds Sjouwerman. “The PCs of employees working in finance and accounting are highly likely to contain sensitive and extremely valuable data that could provide malicious actors access to the most sensitive accounts within an organization, including those that control financial resources, to say nothing of the treasure trove of customer and client data that could be used to bootstrap attacks on still more vulnerable organizations.”

You can find out more about the latest version of Adwind along with the email subject lines to look out for on the KnowBe4 blog.