Adwind Spyware-as-a-Service Attacks Utility Grid Operators

adwind utility grid spyware

A phishing campaign targeting utility grid operators uses a PDF attachment to deliver spyware.

A phishing campaign that spoofs a PDF attachment to deliver Adwind spyware has been taking aim at national grid utilities infrastructure.

Adwind, a.k.a. JRAT or SockRat, is being used in a malware-as-a-service model in this campaign, researchers said. It offers a full cadre of info-gathering features, including the ability to take screenshots, harvest credentials from Chrome, Internet Explorer and Microsoft Edge, record video and audio, take photos, steal files, perform keylogging, read emails and steal VPN certificates.

“Critical infrastructure facilities are high-risk targets, and the fact that Adwind is available as a paid service is very concerning,” Bob Noel, vice president of strategic relationships for Plixer, told Threatpost. “Anyone willing to pay can target utilities, and when successful, they have the ability to collect keystrokes, steal passwords, grab screenshots, take pictures from the web camera, record sound, etc. If infected end users have access to critical system information, it could be stolen and used in an attempt to attack the facility.”

The phishing email was sent from a hijacked account at Friary Shoes, according to Milo Salvia, researcher at Cofense. It merely says, “Attached is a copy of our remittance advice which you are required to sign and return,” with an embedded button purporting to point to a PDF file.

When a victim clicks on the button though, they’re redirected to a malicious web address; Salvia wrote in an analysis Monday that the cybercriminals are abusing the Fletcher Specs domain to host the malware. Once the victim lands there, a payload is automatically downloaded to the target machine.

PDF phishing campaign

The initial payload has a fake PDF file extension to obfuscate the fact that it’s actually a .JAR file. In the background, it creates two Java.exe processes, which load two separate .class files containing the Adwind malware. It then beacons out to its command-and-control (C2) server, according to Salvia.

And, it tries to stay hidden with another executable file, taskkill.exe, which looks for popular antivirus and malware analysis tools and then disables them, the researcher wrote.

Adwind has made bypassing and disabling security tools a hallmark. Last year, a new variant emerged that used a fresh take on the Dynamic Data Exchange (DDE) code-injection technique for anti-virus evasion.

“Tricking end users into clicking on malicious links or attachments continues to be the most successful means for bad actors to gain access,” said Noel. “As is true in the case of the Adwind remote access trojan, once malware lands on a device, it often has the ability to disable antivirus and other types of endpoint detection agents loaded on the device.”

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles