A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others. Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android systems to exfiltrate sensitive data from its victims. It has been known to, but is not limited to, log keystrokes, take pictures and record audio, steal cached data such as passwords and form fills, download/execute malware, amass system and user information, and modify registry entries.
Adwind RAT is a malware-as-a-service tool, which is distributed via paid service, and can be customized to fit the cybercriminal’s needs. Due to the ease of availability, the type of threat actor using the tool can range from a teenage boy in their parent’s basement to an organized crime group, or an APT style, state sponsored group. By design, Adwind often targets small to medium sized enterprises due to the overwhelming existence of Java based applications found on those networks. Past campaigns have targeted enterprises in the United States, Europe and the Middle East. Those campaigns included finance, aerospace, retail, engineering, telecom, education, healthcare, energy, and countless others, as well as turned victim’s machines into bots.
Tactics used to trick or entice victims into clicking the malicious content include fear, sense of urgency, and curiosity. Using the victims’ emotions against them yields a higher return rate for minimal effort by cybercriminals. Email subject lines that include “invoice,” “delivery notifications,” “quotation,” “payments/transfers” are commonly used by cybercriminals to entice or urge victims to open and click on links or attachments of malicious emails.
Example of some of the lures:
Figure 1. Example of a phishing lure distributing Adwind RAT
Figure 2. Email lure exhibiting a sense of urgency and possibly fear
Figure 3. Email lure using a sense of urgency to entice a response