The holidays are busy times for most people \u2013 and that includes cyber criminals who are busy sending millions of spam emails carrying newly repackaged Adwind remote access Trojan (RAT) variants meant to avoid detection.Adwind is a cross-platform RAT that has also been called AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRAT. This multifunctional RAT can monitor user activity, log keystrokes, take screenshots, use the webcam, exfiltrate information such as credentials, download malicious files, record video and audio, as well as do a \u201chost of other nasty activities.\u201dEmails spreading Adwind come with JAR (Java ARchive packaged in ZIP file format) or ZIP file attachments. Symantec started to see an increase in emails with malicious JAR files spreading Adwind in August, but then it really kicked up in October \u2014 surging to 1.55 million that month and another 1.3 million in November.In other words, attackers launched this high-volume campaign to take advantage of the holiday shopping season. Symantec suggested the timing could \u201cgive attackers more time to use any stolen credentials, as victims may let their guard down because they are more relaxed and engaged with other festive activities during this time.\u201dAdwind-spreading emails look legitimateNow, you might think you are cautious about opening emails, but if you purchased any gifts that are meant to be delivered for the holidays, you might open an email claiming the parcel could not be delivered. Some of the emails are very convincing fakes that look like they were sent from a well-known logistics firm. SymantecThe Adwind-spreading emails in this campaign don\u2019t only appear as if they come from logistic firms, but they are also made to look like they originate from various service providers from other industry sectors, such as finance, telecoms and software. Subject lines often include \u201cAccount statement,\u201d \u201cpayment\u201d and \u201cPURCHASE ORDER,\u201d correlating to the company used in the social engineering scheme.An attachment may look like a PDF file, but actually it is a JAR file with the Adwind malware. Other emails, which appear to come from financial institutions, come with two attachments in case the victim suspects the JAR file could be malicious.New Adwind RAT designed to avoid detectionThe Adwind RAT may have been around since 2013, but criminals are constantly changing tactics and have repackaged Adwind to evade detection in this recent spam campaign. Symantec explained that in an attempt to remain undetected, the new variants \u201ccontain very few identifiable strings and use a convoluted scheme involving layer upon layer of obfuscated function calls and classes wrapped inside numerous JAR files.\u201dSymantec Threat Analysis Engineer Rohit Sharma explained:Once executed, the JAR files drop a payload JAR file with a random name and extension. The payload JAR is dropped in a randomly named directory and executed. The threat then runs VBS scripts in order to fingerprint the compromised computer. It also uses the Windows Management Instrumentation (WMI) interface to get details of any installed firewall or security products.The threat then sets registry entries to disable System Restore and set Image File Execution Options for many security products and reversing tools to svchost.exe so that the tools cannot start. It also starts ending processes related to monitoring tools. The threat also connects to its command and control (C&C) server (we observed Adwind connecting with 174[.]127[.]99[.]211 but similar IP address ranges have also been used).The payload includes information about the configuration: It has drop.box with an RSA private key, mega.download with an encrypted configuration file and sky.drive with an AES key to decrypt the data in mega.download. The configuration file shows a URL for a website selling software and support for JRAT.The JAR file has specific implementations for Windows, macOS and Linux, but in the end, if infected with the cross-platform Adwind RAT, attackers not only can steal credentials, but they have any number of spying capabilities on that computer. They can:Take screenshotsAccess the webcamAccess the file system to read, write or delete filesDownload and execute filesLog keystrokesPlay an audio messageTamper with the mouse and keyboardHow to prevent being infected with\u00a0Adwind RATNaturally, users should keep security solutions, as well as operating systems, up to date to avoid falling victim to exploit-based attacks. Symantec is keeping a close eye on Adwind and any potential new variants, and it says not to open unsolicited emails that include a call to action to open links or attachments.