Delaware, USA – August 20, 2019 – The new campaign focuses on national grid utilities infrastructure. Unknown attackers sent spam emails from the compromised account of Friary Shoes employee, which successfully bypassed email filters of companies from the utilities sector. Cofense researchers analyzed malicious emails and discovered domain registered on August, 3 to host Adwind remote access Trojan installer. Emails contain the message: “Attached is a copy of our remittance advice which you are required to sign and return” and JPG image that looks like a PDF document attachment, with hyperlink downloading a .JAR file. If the user executes the downloaded file, Adwind RAT contacts the command-and-control server, uses legitimate taskkill.exe to disable antimalware protection and adds a registry key to achieve persistence. The trojan is capable of stealing credentials, recording audio and video, taking screenshots, stealing VPN certificates, keylogging, and transferring files.
It is not known what threat actor is behind this campaign, since the Adwind RAT is distributed among adversaries under a malware-as-a-service model, and any group can purchase and use in their campaigns. Perhaps this campaign is related to the recent attack by the Chinese cyber espionage group APT10 targeted at US companies in the utility sector, as preparations for this attack began immediately after the details about the last operation became publicly available. Adwind RAT is popular because it avoids many antivirus solutions, and its use makes difficult attributing a campaign to a certain threat actor. You can detect this trojan using the rules available on Threat Detection Marketplace:
Adwind RAT Detector – https://tdm.socprime.com/tdm/info/1498/
adwind rat / jrat – https://tdm.socprime.com/tdm/info/2152/