2 October 2019

New Adwind campaign targets US petroleum companies to steal sensitive data


New Adwind campaign targets US petroleum companies to steal sensitive data

A new malware campaign spreading a new variant of data-stealing Adwind Remote Access Trojan (RAT) has been spotted in the wild, specifically targeting petroleum companies in the US. The malware is distributed via a malspam campaign with the spam messages containing malicious attachments or URL redirecting to malicious payloads.

Adwind (other names are jRAT, AlienSpy, or JSocket) is a cross-platform (works on Windows, Mac, Linux, and Android platforms) Remote Access Trojan written in Java that was previously observed in the attacks against retail/hospitality organizations and companies in other industries. The RAT is available in the cybercriminal underground as a malware-as-a-service (MaaS) model. The malware provides a wide range of capabilities, including the ability to collect keystrokes, steal cached passwords and keys for cryptocurrency wallets, take pictures and record video from a webcam, and record sound from a microphone to name a few.

According to NetSkope researchers, who uncovered the campaign, in terms of functionality the new Adwind variant largely remained the same as previous versions, although the malware authors added some advanced features such as multi-layer obfuscation to evade detection.

“We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month,” Netskope researchers said.

The RAT is served as a JAR payload from the domain “members[.]westnet[.]com[.]au/~joeven/” which belongs to Westnet, an Australian Internet service provider (ISP). Netskope has found 20 malware samples hosted using compromised Westnet user accounts with many of the recent samples having multiple file extensions (*.png.jar.jar) in order to confuse the targets.

Once the JAR is dropped and executed on the target machine it creates the parent java process and copies itself into the %User% directory. It then creates WMI scripts in %temp% and executes them to disable firewall and antivirus services.

The next stage involves creating an AES encryption routine, execution as a new Java thread, and loading the JRAT class which is responsible for loading and linking the DLL which contains the major RAT functionality. It then tries connecting to its command and control server at 185[.]205[.]210[.]48. The JRAT class contains multiple levels of obfuscations within itself in order to hide its features and functionality. 

The RAT has the following functionalities:

  • Capturing webcam images

  • Scanning the hard-drive for files based on extensions defined in RAT’s config.

  • Spinning up multiple process threads and performing injection into known legitimate windows processes. 

  • Monitoring system status.

  • Encrypting and exfiltrating the data to its command and control server

.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” the research team concluded.

 

 

 

Back to the list

Latest Posts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020
Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

DRBControl group's malware and operational tactics overlap with similar tools and tactics used by Winnti and Emissary Panda hackers.
20 February 2020
Iranian hacking campaign backdoors corporate networks via enterprise VPN servers

Iranian hacking campaign backdoors corporate networks via enterprise VPN servers

The campaign is believed to be the effort of three Iran-linked APT groups - APT33, APT34 and APT39.
20 February 2020