The well-known Adwind RAT (Remote Access Trojan) has been deployed in new malicious campaigns against targets in the utility industry. The attacks are carried out via spam email messages that redirect potential victims to the malicious payload.
Adwind RAT Enables New Malicious Campaigns
The Adwind RAT has been around for several years, and has been distributed among criminals as a MaaS model. Shortly described, it is a cross-platform malware with multifunctional capabilities which is only available against a certain price. According to Kaspersky Lab statistics, Adwind has been deployed against at least 443,000 users globally in the period between 2013 and 2016, and the number of victims has definitely multiplied since then.
The current Adwind campaigns are targeted against entities in the utilities sector. In fact, Cofense researchers detected a specific campaign in national grid utilities infrastructure. The malicious email that caught the researchers’ attention came from a hijacked account at Friary Shoes. Threat actors also abused the web address for Fletcher Specs to host the malware. The contents of the email are simple and straight to the point:
“Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.
In this email, there’s a .JAR file named “Scan050819.pdf_obf.jar“, but it is noteworthy that the threat actors took the effort to make the file look like a PDF. Once the file is executed, two java .exe processes are created which load two .class files. The malware then communicates with its command and control server.
As for its malicious capabilities, the Adwind RAT can:
- Take screen shots;
- Harvest credentials from Chrome, IE and Edge;
- Access the webcam, record video and take photos;
- Record audio from the microphone;
- Transfer files;
- Collect general system and user information;
- Steal VPN certificates;
- Serve as a keylogger.
The malware is also capable of evading detection by most anti-malware solutions. However, sandbox- and behavior-based programs should be able to detect it.
Adwind was quite active in mass-scale campaigns in 2017 when security researchers from Kaspersky Labs detected attacks on more than 1,500 organizations in at least 100 countries. The attacks were distributed via spoofed emails made to look like emails from HSBC Advising Service. The mail.hsbcnet.hsbc.com was used. The email contained an infected ZIP attachment carrying malware as a payload. If opened, the .zip file would reveal a JAR file, as is the case with the current campaign described in this article.