The Adwind trojan, also referred to as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRAT, is a remote access tool (RAT) discovered as Frutas in 2012. The trojan's backdoor is written in Java allowing it to run on multiple platforms including Windows, Mac OS, Linux, and Android. Adwind can allow an attacker to control the device remotely, gather data, exfiltrate data, and move laterally in the network. Attackers can log keystrokes, steal credentials, take screenshots, take pictures and record from a web camera, record sounds from a microphone, transfer files, collect system information, steal cryptographic keys, manage SMS on Android, and steal VPN credentials. Adwind is mainly used by cybercriminals in opportunistic attacks, distributed through spam. The trojan is not self-infecting or self-replicating, it requires victim interaction. Kaspersky estimates the number of total victims from 2013 to early 2016 at about 443,000 located various countries, including the United States. JSocket RAT is currently available for purchase on its website for $30 for a one-month license and $200 for an unlimited license.
- April 2015: AlienSpy is infecting both consumers and large enterprises. (Softpedia)
- February 2016: JSocket is available for purchase on the open Internet. (ARStechnica)
- November 2016: The trojan has been used in phishing emails claiming to include the Islamic State of Iraq and Syria’s manifesto titled, “The Murtadd Vote.” (F-Secure)
- February 2017: Adwind used in attack against 1,500 organizations from 100 countries and territories. (Softpedia)
- Technical details including IOCs can be found in Kaspersky SecureList's report, available here.