A new variant of the popular Adwind RAT (aka
“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by
Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).
Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware
“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the a
“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”
Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.