Recent Posts

Recent Blog Posts

The PhishLabs Blog

Adwind Remote Access Trojan Still Going Strong

Posted by Amanda Kline on Nov 1, '17
Find me on:

 A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others.  Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android systems to exfiltrate sensitive data from its victims. It has been known to, but is not limited to, log keystrokes, take pictures and record audio, steal cached data such as passwords and form fills, download/execute malware, amass system and user information, and modify registry entries.

Adwind RAT is a malware-as-a-service tool, which is distributed via paid service, and can be customized to fit the cybercriminal’s needs. Due to the ease of availability, the type of threat actor using the tool can range from a teenage boy in their parent’s basement to an organized crime group, or an APT style, state sponsored group. By design, Adwind often targets small to medium sized enterprises due to the overwhelming existence of Java based applications found on those networks. Past campaigns have targeted enterprises in the United States, Europe and the Middle East. Those campaigns included finance, aerospace, retail, engineering, telecom, education, healthcare, energy, and countless others, as well as turned victim’s machines into bots.

Tactics used to trick or entice victims into clicking the malicious content include fear, sense of urgency, and curiosity. Using the victims’ emotions against them yields a higher return rate for minimal effort by cybercriminals. Email subject lines that include “invoice,” “delivery notifications,” “quotation,” “payments/transfers” are commonly used by cybercriminals to entice or urge victims to open and click on links or attachments of malicious emails.

Example of some of the lures:

Adwind_Figure 1.jpg

Figure 1. Example of a phishing lure distributing Adwind RAT

 

Adwind_Figure 2.jpg

Figure 2. Email lure exhibiting a sense of urgency and possibly fear

Adwind_Figure 3.jpg

Figure 3. Email lure using a sense of urgency to entice a response

Topics: Remote Acccess Trojan, Adwind

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events

Calendar_Mock_

Posts by Topic

see all