A new malware campaign spreading a new variant of data-stealing Adwind Remote Access Trojan (RAT) has been spotted in the wild, specifically targeting petroleum companies in the US. The malware is distributed via a malspam campaign with the spam messages containing malicious attachments or URL redirecting to malicious payloads.

Adwind (other names are jRAT, AlienSpy, or JSocket) is a cross-platform (works on Windows, Mac, Linux, and Android platforms) Remote Access Trojan written in Java that was previously observed in the attacks against retail/hospitality organizations and companies in other industries. The RAT is available in the cybercriminal underground as a malware-as-a-service (MaaS) model. The malware provides a wide range of capabilities, including the ability to collect keystrokes, steal cached passwords and keys for cryptocurrency wallets, take pictures and record video from a webcam, and record sound from a microphone to name a few.

According to NetSkope researchers, who uncovered the campaign, in terms of functionality the new Adwind variant largely remained the same as previous versions, although the malware authors added some advanced features such as multi-layer obfuscation to evade detection.

“We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month,” Netskope researchers said.

The RAT is served as a JAR payload from the domain “members[.]westnet[.]com[.]au/~joeven/” which belongs to Westnet, an Australian Internet service provider (ISP). Netskope has found 20 malware samples hosted using compromised Westnet user accounts with many of the recent samples having multiple file extensions (*.png.jar.jar) in order to confuse the targets.

Once the JAR is dropped and executed on the target machine it creates the parent java process and copies itself into the %User% directory. It then creates WMI scripts in %temp% and executes them to disable firewall and antivirus services.

The next stage involves creating an AES encryption routine, execution as a new Java thread, and loading the JRAT class which is responsible for loading and linking the DLL which contains the major RAT functionality. It then tries connecting to its command and control server at 185[.]205[.]210[.]48. The JRAT class contains multiple levels of obfuscations within itself in order to hide its features and functionality. 

The RAT has the following functionalities:

• Capturing webcam images

• Scanning the hard-drive for files based on extensions defined in RAT’s config.

• Spinning up multiple process threads and performing injection into known legitimate windows processes. 

• Monitoring system status.

• Encrypting and exfiltrating the data to its command and control server

.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” the research team concluded.