Undetectable Adwind RAT used in targeted attacks

Pierluigi Paganini July 05, 2016

Experts from security firm Heimdal Security have detected a malicious spam campaign delivering attachments laced with the Adwind RAT.

Experts from cyber security firm Heimdal Security has spotted a spam campaign delivering the Adwind RAT (Remote Access Trojan).

The threat is a privileged weapon in the arsenal of criminal organizations, the Adwind RAT is a cross-platform malware that can perform a wide range of malicious functions, including the set up of a backdoor into the victim’s PC.

According to the firm security company, the campaign was launched during the weekend and only targeted Danish businesses, but experts believe it could soon target other countries.

Malware researchers from Heimdal reported that the malicious emails came with a file attachment named Doc-[Number].jar, and the bad news is that according to the online antivirus scanning service VirusTotal no antivirus engine was able to detect the threat. This circumstance is very intriguing if we consider that the Adwind RAT was first spotted four years ago.

The Adwind RAT is able to run on any platform that supports Java Runtime Environment.

The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

AlienSpy RAT

“The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies.” states a blog post published by Heimdal Security.

“A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses”

Experts noticed that once the Adwind RAT infects a machine it is recruited into a botnet that is controlled by the server jmcoru.alcatelupd [.] Xyz that was also used in other RAT campaigns.

Researchers highlighted that the Adwind RAT could represent a valid hacking tool in targeted attacks, it allows APT groups to exfiltrate data and remotely control the infected machine by using a small and agile infrastructure.

“Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike.” concludes Heimdal Security.

“Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them.”

In February 2016, security experts at Kaspersky have spotted a new variant of the malware that has been modified and offered as a service in the criminal underground. Researchers at Kaspersky observed more than 150 attack campaigns relying on the new variant of AlienSpy, bad actors in the wild targeted more than 60,000 individuals.

The analysis of subscribers to the malware-as-a-service revealed that the majority of clients come from the US, Canada, Russia, and Turkey.

AlienSpy RAT family jsocket-640x584 Ars 2

Image from Ars post

The new variant of AlienSpy, dubbed JSocket and jRat, was available for rent on the Internet at prices ranging from $30 for one month to $200 for an unlimited version.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Adwind RAT, malware-as-a-service)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment