Adwind Remote Access Trojan Hits Utilities Sector

Attackers are targeting entities from the utility industry with the Adwind Remote Access Trojan (RAT) malware via a malspam campaign that uses URL redirection to malicious payloads.

Adwind (also known as jRAT, AlienSpy, JSocket, and Sockrat) is distributed by its developers to threat actors under a malware-as-a-service (MaaS) model and it is capable of evading detection by most major anti-malware solutions.

While the Adwind Trojan manages to avoid detection by some anti-malware solutions, sandbox- and behavior-based antivirus software should be capable of detecting and block it successfully.

Targets home and enterprise users

This allows its operators to successfully compromise their targets' computers without raising suspicion, and perform a wide range of malicious tasks from stealing sensitive info like VPN certificates and credentials from Chrome, IE, and Edge to collecting and exfiltrating the victims' keystrokes.

The Adwind RAT can also record video and sound, as well as snap photos using the infected machine's webcam, as well as mine for cryptocurrency and harvest cryptocurrency wallet information.

Adwind has been making the rounds since 2013, with the RAT being observed in attacks targeting hundreds of thousands of individuals and entities from a large array of industries, including finance, telecom, software, energy, and government among others.

From previously detected malicious campaigns distributing it, the initial infection vector most used by most attackers dropping Adwind on their targets' systems are spam emails which contain infected attachments or links redirecting the targets to the primary payload.

Malicious URLs camouflaged as a PDF attachment

The emails used to infect the victims of this specific campaign were found in the inboxes of staff employed by entities from the utilities sector, landing there after successfully bypassing the companies' email gateways.

They are being sent via a compromised email account at Friary Shoes, with the company's servers also being used to store and deliver the Adwind malware payload to the victims' computers.

"At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink," found the Cofense researchers who spotted this new Adwind campaign.

"When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded."

To trick the targets into clicking the malicious link disguised as a PDF attachment, the attackers use the following email body: "Attached is a copy of our remittance advice which you are required to sign and return."

After clicking on the download link included in the malspam message, the initial payload in the form of the Scan050819.pdf_obf.jar JAR file will be dropped on the targeted machine.

The malware will immediately contact its command and control (C2) server upon execution and will add all the data it collects together with all its dependencies into the C:\Users\Byte\AppData\Local\Temp\ folder.

The next step in the infection chain is to find and kill any well-known analytics and antivirus software with the help of the legitimate taskkill Microsoft utility designed to allow ending one or more processes.

Indicators of compromise including malware sample hashes, malicious URLs used in the phishing attacks, and associated are included at the end of the Cofense report.

Switching methods and baits

Cofense's researchers have also observed several other coordinated attacks employing a large array of techniques and baits to phish various types of targets.

Just last week, they spotted a spear-phishing campaign circumventing a Microsoft email gateway with the help of documents shared via the Google Drive service and designed to target the staff of an energy industry company.

In July, crooks were seen while switching from the malicious URLs they usually employ to WeTransfer notifications that helped them bypass email gateways developed by Microsoft, Symantec, and Proofpoint.

A base HTML element was also used to conceal phishing landing page links from antispam solutions, a tactic that made it possible to evade Office 365 Advanced Threat Protection's security checks and get their phishing emails into the inboxes of American Express customers.

Yet another campaign employing fake eFax messages was detected in early July while infecting targets with a banking Trojan and RAT cocktail using malicious Microsoft Word document attachments.

Cofense was also behind the discovery of a phishing campaign that abused QR codes one month earlier, through which its operators redirected potential targets to landing pages while dodging security solutions and controls designed to stop such attacks in their tracks.