Adwind

The Adwind trojan, also referred to as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRAT, is a remote access tool (RAT) discovered as Frutas in 2012. The trojan's backdoor is written in Java allowing it to run on multiple platforms including Windows, Mac OS, Linux, and Android. Adwind can allow an attacker to control the device remotely, gather data, exfiltrate data, and move laterally in the network. Attackers can log keystrokes, steal credentials, take screenshots, take pictures and record from a web camera, record sounds from a microphone, transfer files, collect system information, steal cryptographic keys, manage SMS on Android, and steal VPN credentials. Adwind is mainly used by cybercriminals in opportunistic attacks, distributed through spam. The trojan is not self-infecting or self-replicating, it requires victim interaction. Kaspersky estimates the number of total victims from 2013 to early 2016 at about 443,000 located various countries, including the United States. JSocket RAT is currently available for purchase on its website for $30 for a one-month license and $200 for an unlimited license.

In March 2017, Kaspersky Lab reported on a large campaign in which more than 1,500 organizations in over 100 countries and territories were infected with the Adwind trojan. The retail and distribution sectors make up the majority of those targeted at 20.1 percent. Attackers sent victims phishing emails purportedly from HSBC Advising Service, from the mail.hsbcnet.hsbc.com domain, with a "payment advice" attachment. If the attached ZIP file is opened, the Adwind trojan self-installs and attempts to communicate with its command and control (C2) server. If the machine is successfully compromised, the attacker gains almost complete control over the device and can send sensitive data collected back to its C2 server.

Reporting

  • April 2015: AlienSpy is infecting both consumers and large enterprises. (Softpedia)
  • February 2016: JSocket is available for purchase on the open Internet. (ARStechnica)
  • November 2016: The trojan has been used in phishing emails claiming to include the Islamic State of Iraq and Syria’s manifesto titled, “The Murtadd Vote.” (F-Secure)
  • February 2017: Adwind used in attack against 1,500 organizations from 100 countries and territories. (Softpedia)
  • March 2017: Recent cyber attacks have infected more than 1,500 organizations in over 100 countries and territories with the Adwind trojan. (Ilonggo)
  • July 2017: The trojan is being delivered via a spam campaign targeting enterprises in the aerospace industry. Switzerland, Ukraine, Austria, and the US are the most affected countries. Adwind has greatly increased this year, with 5,286 detections in January 2017 compared to 117,649 in June. (Trend Micro)

Technical Details:

  • Technical details including IOCs can be found in Kaspersky SecureList's report, available here.
 

Image Source: Kaspersky