Beware JBifrost RAT - the New Face of Adwind - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Beware JBifrost RAT – the New Face of Adwind

SensorsTechForum-backdoor-trojan-horse-malware-ransomware-spreadAdwind RAT, one of the most spread RATs (Remote Access Trojans), has been recently rebranded, glamorously returning to the underground market with a new name – JBifrost.

This is far from the first time the malware changes its name and becomes active yet again. First it was detected in January 2012 when it was going by the name Frutas RAT. Then, it reappeared in January 2013 as the Adwind RAT.

Later the threat was renamed to Unrecom RAT in February 2014, as AlienSpy in October 2014, and as JSocket RAT in June 2015, Softpedia points out.

Related: AlienSpy RAT Attacks 400,000 International Victims

JSocker RAT was unraveled by Kaspersky in February 2016 in a very long and detailed report. Not surprisingly, the RAT’s operation was shut down shortly after the report was published. The RAT’s operators, however, appear to be restless as Fortinet researchers recently revealed that the threat is revived one more time in May 2016. This time, it’s going by the name JBifrost RAT.

A Look into JBifrost Latest Campaign

The Fortinet team is certain that JBifrost is a rebranded Adwind RAT with a new GUI and a few new features.

The updated JBifrost cannot be freely bought anymore, compared to previous variants where any interested party could get hold of its code. Potential cyber criminals now need an invitation code to be able to register on its website and eventually buy the RAT.

JBifrost Is Now Being Sold for $45 for a Month

The fee for a subscription and renewal is $40. This is not the only notable change in the RAT. The way cyber criminals collect the money is also renewed – previously payments via PerfectMoney, CoinPayments, Advcash, EntroMoney, and Bitcoin were accepted. Now, Bitcoin has remained the only available payment method.

According to Fortinet, JBifrost has been downloaded from its homepage 1,566 times. It’s also been detected in live malware distribution campaigns:

Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply rebranding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website. They also appear to be more cautious since their website is only accessible to invited users, and they are using Bitcoin as their only mode of payment.

Researchers also confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...