Threat Watch

Adwind RAT

Adwind is a RAT (Remote Access Trojan) that has been connected to at least 400,000 attacks against industries worldwide in the past and is now making a comeback with a new toolkit. Adwind also goes by AlienSpy, jRat, and JSocket. The malware can record key strokes, collect PC information, steal credentials, record video and sound, and take screenshots. Recent variants of Adwind have been targeting the field of cryptocurrency and can steal cryptographic keys that are required to access wallets on compromised systems. Infection begins with a malicious payload delivered via phishing campaigns. The malicious emails contain JAR (Java ARchive) files which will connect to the RAT’s C&C server to download additional payloads and transfer the hijacked data once executed. In previous attacks, the trojan has been seen targeting industries such as finance, shipping, manufacturing, and telecoms, along with others while being detected in Hong Kong, India, Turkey, the US, and Vietnam. A new campaign was seen in August 2018, targeting Windows, Linux, and Mac machines in Germany and Turkey. The new campaign includes DDE (Dynamic Data Exchange) code injection attack which is aiming to compromise Excel and circumvent signature-based antivirus software. The phishing emails contain a .CSV or .XLT attachment which are opened by Excel as default. The files include one of two droppers that leverage the DDE injection. Other extensions seen include .html, .db, and .xlc. Not every extension will be opened by Excel by default. According to researchers, “For the non-default extensions a script starting Excel with a file with one of these extensions as a parameter is still a viable attack scenario.” Adwind may also implement some obfuscation. Instead of signature-based software detecting the file as a dropper, it could think that the file is corrupted. Excel will detect the opened file as potentially corrupted, though the user can still open it if they want to. Microsoft will warn the user if they decide to open the file. If the file is opened, it will create a Visual Basic script which uses the bitsadmin tool. This is used to download the final payload containing the commercial packer Allatori Obfuscator. The file is then decompressed to deploy the full Adwind RAT.

ANALYST NOTES