Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems.
Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and leverage the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.
The campaign was uncovered at the end of August, attackers mainly targeted users in Turkey (75%), experts noticed that other victims were located in Germany, but likely members of the Turkish community.
The spam campaign uncovered by the experts leveraged on malicious documents that were written in Turkish.
“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” reads the analysis published by Cisco Talos.
The experts observed at least two different droppers in this campaign that use both the .csv or .xlt files that are opened by default by Microsoft Excel.
Both of them would leverage a new variant of the DDE code injection attack, although this technique is well-known, the variant used in this campaign is still undetected.
The dropper file can have more than 30 different file extensions some of them are not opened by Excel by default, however, the attackers can use a script launching Excel with a file with one of these extensions as a parameter.
“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” continues the report.
Excel will display differed warnings to the user regarding the execution of code, the first related to the execution of a corrupted file, the second one notifies the user that the document will execute the application “CMD.exe.”
If the user accepts all the warnings, the application is executed on the system.
Talos pointed out that attackers aim at injecting code that would create and execute a Visual Basic Script that uses the bitasdmin Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.
The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7.
The final payload is a sample the Adwind RAT v3.0.
“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.” Talos concludes.
“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,”
Further details, including IoCs, are reported in the analysis published by Talos.
(Security Affairs – Adwind RAT, malware-as-a-service)