Security analysts are warning the public about the latest Adwind RAT campaign which gives the malware the ability to avoid most antivirus software.
According to an investigation by cybersecurity researchers from the intelligence firms Cisco Talos and ReversingLabs, the Adwind RAT virus is now back with a more sophisticated toolkit that can reportedly fool antivirus programs. With this new skill, the Trojan malware can quickly and effortlessly exploit most domestic and commercial systems.
Adwind is a famous Remote Access Trojan that was previously used by cybercriminals to launch attacks against organizations and industries worldwide. The trojan, which is also known as JSocket, Frutas, Sockrat, jRAT, and AlienSpy, is packed with different skills that can be used to penetrate computer networks and systems.
Adwind’s multifunctional capabilities allow it to monitor a computer user’s activities. It can log keystrokes, take screenshots, exfiltrate vital information like user credentials, use the webcam, record videos and audio, and host other malicious activities.
Back in February of this year, Comodo Group’s Threat Research Lab discovered how a group of hackers used emails disguised as Swift messages to spread Adwind RAT. Comodo believed that the campaign was designed to spy on users and collect valuable data from targeted enterprise networks and endpoints in preparation for a secondary attack.
The latest variants of the trojan are equipped with capabilities to include the cryptocurrency field. Talos researchers reported that the new Adwind RAT will now also attempt to steal the cryptographic keys needed to access the cryptocurrency wallets on the affected computers.
A targeted campaign was reportedly launched last August to spread Adwind 3.0, the most recent variant of RAT. The campaign targeted Windows, Linux, and Mac systems from Turkey and Germany. The attack includes a Dynamic Data Exchange (DDE) code injection which compromises Microsoft Excel and can trick signature-based antivirus programs.
The campaign involves sending emails with a .CSV or .XLT file attachment which can be opened in Excel by default. The files contain two droppers which both have DDE code injection. Instead of reading the file as a dropper, the signature-based antivirus reads it as corrupted which allows a user to open it.
Though Excel could detect the file as fake and should issue three warnings, persisting to open the file would execute the dropper and DDE injection script. The code can then create a Visual Basic script which utilizes the command-line tool bitasdmin. This is used in Excel to download, upload, and monitor jobs. The hackers will then exploit the bitasdmin tool to download and release the full Adwind RAT.
With this new threat to online security, people are advised to be vigilant when it comes to opening emails. Do not open emails or files from unknown sources and immediately delete them if possible.