Researchers at Menlo Security discovered a new version of the Adwind RAT Trojan, which targets exclusively at Windows applications.
The Adwind Trojan, aka AlienSpy, Frutas, Unrecom, JRAT, SockRat and JSocket, is entirely written in Java and is usually used to steal information from infected machines.
“Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web. In fact, any effort to block or limit Java would result in much of the internet breaking down – a non starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities”, — write Menlo Security researchers.
Until now, the malware didn’t care which platform to work on – Linux, macOS, Windows or Android.
The modification, which appeared four months ago, attacks only Windows and steals logins and passwords from Windows-applications – Internet Explorer, Outlook, business programs, and bank clients. It is noteworthy that the new Adwind is also interested in data stored in Chromium-based browsers, including Brave.3
The malware enters the computer in the form of a JAR file downloaded via a link in a spam email or from a legitimate site delivering insecure third-party content. In many cases, the researchers recorded infections originating from the unpatched WordPress site.
Malicious code in the JAR file is hidden under several obfuscation layers to avoid signature-based detection. After decryption, is loaded the starting set of modules and established a connection with the C&C server.
Adwind Control Center IP address is selected from the list in the configuration file; the request to download additional JAR files is encrypted using AES and is sent via TCP port 80. Having received everything necessary to perform the main task, the malware, by command, starts collecting credentials, which it then sends to the remote server.
“No signature analyzer can confidently detect the initial Adwind JAR load among millions of inbound and outbound Java commands on the corporate network. Only dynamic analysis can detect malicious activity”, – write experts from Menlo Security.
The multi-functional Adwind Trojan appeared on the Internet arena in 2013 and since then has periodically come into the attention of information security experts, demonstrating new models and changing goals. The last time he appeared on the August spam mailings was aimed at US energy companies.
The malware is available on the black market as a service; its authors pay a lot of attention to ways to bypass and block protective solutions. Therefore, last year they tested an infection scheme that uses a DDE macro to hide malicious code from antiviruses.
Menlo Security Recommendation
Cybersecurity attacks, like magic tricks, cease being mysterious once the delivery and method are revealed. Once you identify that abnormal behavior, it becomes easier to stop attackers in their tracks. Only a complete, layered cybersecurity solution can provide that level of protection for users.