RAT Adwind strikes again

London, UK – July 13, 2017 – Researchers from Trend Micro reported an increased number of attacks using the cross-platform Remote Access Trojan Adwind. Their number has doubled over the past month. This Trojan is capable to infect most of the operating systems where Java is installed, including Windows, Mac, Linux and Android. There were two phishing spam campaigns recorded in June that mainly targeted aerospace enterprises in Austria, the United States, Ukraine and Switzerland. Phishing emails contained the malicious URL that dropped PIF file in the victim’s system. This file modified the system certificate and then downloaded jRAT-wrapper (JAVA_ADWIND.JEJPCO), which connected to control servers and dropped the Adwind Trojan in runtime.

JRAT-wrapper uses Visual Basic scripts to collect information about installed antivirus product and firewall, and it can evade the attention of traditional antivirus solutions. Adversaries can use Trojan Adwind to steal any data, including credentials, take screenshots, and also use it as a keylogger. This malware is known since 2013, it has already been used multiple times for attacks on banks and other enterprises, creation of botnets and even for cryptocurrency mining on devices running Android.

Adversaries will not stop having such an effective tool. We recommend SIEM use case Ransomware Hunter Advanced to protect against such threats. It uses Vulnerability Management data and automatically calculates scoring for every suspicious activity.