The remote access Trojan Adwind has resurfaced and as of last weekend, is being used in spam emails targeting Danish companies, researchers said.
In emails purporting to be order requests coming from either spoofed or fake return addresses, attackers are spreading malicious .jar, or Java archive files. Assuming a user clicks through and opens the file, Adwind’s code is run, and the machine is pulled into a botnet.
From: [spoofed / fake return address]
Subject Line: Order – Quotation Request
Attached:
Doc-172394856.jar
According to researchers with Romania-based Heimdal Security, who described the RAT in a blog post on Monday, this iteration of Adwind communicates with a server that’s been used in other RAT campaigns that use dynamic DNS services. Command and control servers used by the RAT have been down and up over the course of its existence. Most of them rely on Dynamic DNS servers and are not real domain registrations.
Adwind has always been a cross platform, multifunctional backdoor; the latest instance isn’t any different.
“The objective of these type of attacks is always dual: to exfiltrate data from the compromised organizations and to open a backdoor which allows attackers to feed more malware into the affected machines,” Heimdal Security’s Andra Zaharia wrote.
“Adwind has often been related to refined APT campaigns, so it’s no surprise that we should find this RAT in this context,” Zaharia said.
Researchers with the firm didn’t specify exactly what type of companies the Adwind-laden spam emails were sent to but the vector is in line with attacks spotted by Kaspersky Lab at the tail end of 2015.
Researchers with the company’s Global Research and Analysis Team learned at the time that a bank in Singapore received a malicious .JAR file attached to a spear phishing email. The bank employee who received the email didn’t open the file, but if they had, they would’ve installed the malware and allowed an attacker to collect keystrokes, take screenshots, record sound, and steal VPN certificates, among a handful of other abilities.
At the Kaspersky Lab Security Analyst Summit in February Vitaly Kamluk, a researcher at the firm, described the RAT’s flexibility. Since its written in Java, Adwind, a/k/a Frutas, AlienSpy, and JSocket, can be used in targeted attacks, like the emails sent to Danish companies and the Singapore bank, as well as cybercrime.
At the time Kaspersky researchers tallied at least 443,000 users, from commercial and non-commercial organizations worldwide, had been hit by the Adwind RAT platform.