2 October 2019

New Adwind campaign targets US petroleum companies to steal sensitive data

New Adwind campaign targets US petroleum companies to steal sensitive data

A new malware campaign spreading a new variant of data-stealing Adwind Remote Access Trojan (RAT) has been spotted in the wild, specifically targeting petroleum companies in the US. The malware is distributed via a malspam campaign with the spam messages containing malicious attachments or URL redirecting to malicious payloads.

Adwind (other names are jRAT, AlienSpy, or JSocket) is a cross-platform (works on Windows, Mac, Linux, and Android platforms) Remote Access Trojan written in Java that was previously observed in the attacks against retail/hospitality organizations and companies in other industries. The RAT is available in the cybercriminal underground as a malware-as-a-service (MaaS) model. The malware provides a wide range of capabilities, including the ability to collect keystrokes, steal cached passwords and keys for cryptocurrency wallets, take pictures and record video from a webcam, and record sound from a microphone to name a few.

According to NetSkope researchers, who uncovered the campaign, in terms of functionality the new Adwind variant largely remained the same as previous versions, although the malware authors added some advanced features such as multi-layer obfuscation to evade detection.

“We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month,” Netskope researchers said.

The RAT is served as a JAR payload from the domain “members[.]westnet[.]com[.]au/~joeven/” which belongs to Westnet, an Australian Internet service provider (ISP). Netskope has found 20 malware samples hosted using compromised Westnet user accounts with many of the recent samples having multiple file extensions (*.png.jar.jar) in order to confuse the targets.

Once the JAR is dropped and executed on the target machine it creates the parent java process and copies itself into the %User% directory. It then creates WMI scripts in %temp% and executes them to disable firewall and antivirus services.

The next stage involves creating an AES encryption routine, execution as a new Java thread, and loading the JRAT class which is responsible for loading and linking the DLL which contains the major RAT functionality. It then tries connecting to its command and control server at 185[.]205[.]210[.]48. The JRAT class contains multiple levels of obfuscations within itself in order to hide its features and functionality. 

The RAT has the following functionalities:

  • Capturing webcam images

  • Scanning the hard-drive for files based on extensions defined in RAT’s config.

  • Spinning up multiple process threads and performing injection into known legitimate windows processes. 

  • Monitoring system status.

  • Encrypting and exfiltrating the data to its command and control server

.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” the research team concluded.

 

 

 

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019