Adwind Trojan Uses Phishing To Circumvent Antivirus And Infect Workstations


Charlie Osborne reported at ZDNet that Adwind, a Remote Access Trojan (RAT) previously connected to attacks against industries worldwide, is back with a new toolkit designed to trick antivirus programs into allowing the malware to exploit systems.

On Monday, cybersecurity researchers from Cisco Talos, together with intelligence partner ReversingLabs, released the results of an investigation into the Adwind Trojan's latest campaign.

Also known as AlienSpy, JSocket, and jRat, the Trojan is a malware variant that contains a wide variety of 'skills.'

Not only is the RAT able to collect PC information and keystrokes, as well as steal credentials and data submitted via web forms, the malware is also able to record video, sound, and take screenshots. The Trojan is also able to tamper with system files and transfer content without user consent.

More recent variants of the Trojan have been upgraded to consider the lucrative field of cryptocurrency, and Adwind can now also attempt to steal the cryptographic keys required to access cryptocurrency wallets on infected systems.

The Trojan infects PCs after being sent as a malicious payload via phishing campaigns. Crafted emails contain malicious JAR files which, once executed, connect to the RAT's command-and-control (C2) server to download additional payloads and transfer stolen data.

The malware has previously been connected to at least 400,000 attacks against businesses in finance, manufacturing, shipping, and the telecoms industry, among others.

The Trojan has been detected in countries including Turkey, the US, India, Vietnam, and Hong Kong and is counted upon to spread to Europe and the U.S.

The multi-functional Trojan is also a known offering on malware-as-a-service (MaaS) platforms and can be used by threat actors willing to pay a subscription.

A new spam campaign emerged in August which is spreading Adwind 3.0, one of the latest detected variants of the Trojan. The campaign targets Windows, Linux, and Mac machines with a particular focus on victims in Turkey and Germany.

What makes the new scheme interesting, however, is the inclusion of a Dynamic Data Exchange (DDE) code injection attack which aims to compromise Microsoft Excel and circumvent signature-based antivirus solutions.

The phishing campaign sends malicious messages containing a .CSV or .XLT attachment -- both of which are opened by Excel as default. There are three warnings in total issued by Microsoft. Should the user continue to fall for the social engineering tactics, the dropper and DDE injection script execute and the code will then create a Visual Basic script which utilizes bitasdmin to download the final payload, a Java archive file which contains a commercial packer called Allatori Obfuscator. This packed file then decompresses to deploy the full Adwind RAT.

While this kind of injection attack is not new, the researchers say that "this actor found a way to modify it in order to have an extremely low detection ratio."

Cisco Talos stated: "Although both the generic method and the payload are known, this campaign show[s] how some variance into well-known artifacts can trick antivirus [software]. Their behavior, however, is clearly classical, which means that sandboxing and behavior-based solutions aligned with intent based networks should be able to detect and stop these threats without problems." Full Story at ZDNet.

Stepping your users through new-school security awareness training is also a very good idea...

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews