After it was rebranded in 2016, Adwind, the famous remote access tool has been put to use once again. Attacks on more than 1,500 organizations have been reported, and at least 100 countries have been compromised, Kaspersky Lab report reveals.
Expectedly, organizations in various sectors have been affected – industrial, retail, distribution, architecture, construction, shipping, logistics, and even legal services.
Adwind RAT 2017 Attacks Explained
The attack begins with spoofed emails made to look like emails from HSBC Advising Service. The mail.hsbcnet.hsbc.com was used. The email contained an infected ZIP attachment carrying malware as a payload. If opened, the .zip file would reveal a JAR file.
Did you know? Spoofing is a popular technique among attackers. Display name spoofs particularly involve impersonating a person familiar to a corporate user for the purpose of making them believe they know the recipient. The technique is quite effective and is often leveraged in attacks on businesses, and represents 91% of said attacks. The reason it’s so effective is quite simple – corporate users are flooded with emails on a daily basis.
The malware would then install itself and would attempt to communicate to its command & control server. This would grant almost absolute control over the targeted system. The RAT is basically deployed to harvest sensitive and often confidential information.
The countries affected by the attacks are Malaysia, the United Kingdom, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico and the Russian Federation.
Kaspersky Lab has released an announcement which says the following:
According to Kaspersky Lab researchers, since the victims include a high proportion of businesses, criminals could use industry-specific mailing list to target their attacks. Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology.
Adwind RAT has been around for quite some time now, and has been available under various aliases such as AlienSpy, Frutas, Sockraat, JSocker, Unrecom, jRat. It is a cross-platform malware with multifunctional capabilities which is only available against a certain price. According to Kaspersky Lab statistics, Adwind has been deployed against at least 443,000 users globally in the period between 2013 and 2016.