Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to “target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries.”
The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).
Adwind is a cross-platform RAT, it is able to infect all the major operating systems, including Windows, Mac, Linux, and Android.
Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks). Adwind/jRAT can steal credentials, record and harvest keystrokes, take pictures or screenshots, film and retrieve videos, and exfiltrate data. Adwind iterations were used to target banks and Danish businesses, and even turned infected machines into botnets.
The malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware.
According to a blog post published today, the malicious campaign was noticed on two different occasions.
the first on June 7, 2017 using a different URL to divert victims to their .NET-written malware equipped with spyware capabilities. The second wave was observed on June 14, and used different domains that hosted their malware and command and control (C&C) servers. Both waves apparently employed a similar social engineering tactic to lure victims into clicking the malicious URLs.
The spam email’s message impersonates the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee. The spam email’s subject line, “Changes in 2017 – MYBA Charter Agreement”, tries to cause a sense of urgency for potential victims. It uses a forged sender address, (info[@]myba[.]net) and a seemingly legitimate content to trick would-be victims into clicking the malicious URL.
Snapshot of Spam Email
Once infected, the malware also collects system’s fingerprints, along with the list of installed antivirus and firewall applications.
“It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions,” the researchers wrote.
Considering that the main infection vector for the Adwind RAT are spam messages, users have to be suspicious of unsolicited messages containing documents or links. Never open a document or click on links inside those emails if you haven’t verified the source.
As usual, keep your systems and antivirus products up-to-date.