Over 1 million monthly spam emails spreading new Adwind RAT variants

Symantec warns of a surge in spam emails spreading new Adwind RAT variants that can monitor user activity, log keystrokes, take screenshots, download malicious files, and record video and audio.

Symantec warns of surge in spam email spreading Adwind RAT
Pixabay

The holidays are busy times for most people – and that includes cyber criminals who are busy sending millions of spam emails carrying newly repackaged Adwind remote access Trojan (RAT) variants meant to avoid detection.

Adwind is a cross-platform RAT that has also been called AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRAT. This multifunctional RAT can monitor user activity, log keystrokes, take screenshots, use the webcam, exfiltrate information such as credentials, download malicious files, record video and audio, as well as do a “host of other nasty activities.”

Emails spreading Adwind come with JAR (Java ARchive packaged in ZIP file format) or ZIP file attachments. Symantec started to see an increase in emails with malicious JAR files spreading Adwind in August, but then it really kicked up in October — surging to 1.55 million that month and another 1.3 million in November.

In other words, attackers launched this high-volume campaign to take advantage of the holiday shopping season. Symantec suggested the timing could “give attackers more time to use any stolen credentials, as victims may let their guard down because they are more relaxed and engaged with other festive activities during this time.”

Adwind-spreading emails look legitimate

Now, you might think you are cautious about opening emails, but if you purchased any gifts that are meant to be delivered for the holidays, you might open an email claiming the parcel could not be delivered. Some of the emails are very convincing fakes that look like they were sent from a well-known logistics firm.

symantec report adwind spam Symantec

The Adwind-spreading emails in this campaign don’t only appear as if they come from logistic firms, but they are also made to look like they originate from various service providers from other industry sectors, such as finance, telecoms and software. Subject lines often include “Account statement,” “payment” and “PURCHASE ORDER,” correlating to the company used in the social engineering scheme.

An attachment may look like a PDF file, but actually it is a JAR file with the Adwind malware. Other emails, which appear to come from financial institutions, come with two attachments in case the victim suspects the JAR file could be malicious.

New Adwind RAT designed to avoid detection

The Adwind RAT may have been around since 2013, but criminals are constantly changing tactics and have repackaged Adwind to evade detection in this recent spam campaign. Symantec explained that in an attempt to remain undetected, the new variants “contain very few identifiable strings and use a convoluted scheme involving layer upon layer of obfuscated function calls and classes wrapped inside numerous JAR files.”

Symantec Threat Analysis Engineer Rohit Sharma explained:

Once executed, the JAR files drop a payload JAR file with a random name and extension. The payload JAR is dropped in a randomly named directory and executed. The threat then runs VBS scripts in order to fingerprint the compromised computer. It also uses the Windows Management Instrumentation (WMI) interface to get details of any installed firewall or security products.

The threat then sets registry entries to disable System Restore and set Image File Execution Options for many security products and reversing tools to svchost.exe so that the tools cannot start. It also starts ending processes related to monitoring tools. The threat also connects to its command and control (C&C) server (we observed Adwind connecting with 174[.]127[.]99[.]211 but similar IP address ranges have also been used).

The payload includes information about the configuration: It has drop.box with an RSA private key, mega.download with an encrypted configuration file and sky.drive with an AES key to decrypt the data in mega.download. The configuration file shows a URL for a website selling software and support for JRAT.

The JAR file has specific implementations for Windows, macOS and Linux, but in the end, if infected with the cross-platform Adwind RAT, attackers not only can steal credentials, but they have any number of spying capabilities on that computer. They can:

  • Take screenshots
  • Access the webcam
  • Access the file system to read, write or delete files
  • Download and execute files
  • Log keystrokes
  • Play an audio message
  • Tamper with the mouse and keyboard

How to prevent being infected with Adwind RAT

Naturally, users should keep security solutions, as well as operating systems, up to date to avoid falling victim to exploit-based attacks. Symantec is keeping a close eye on Adwind and any potential new variants, and it says not to open unsolicited emails that include a call to action to open links or attachments.

NEW! Download the Winter 2018 issue of Security Smart