The Adwind RAT implements many features, including stealing credentials, keylogging, taking screenshots and pictures, data gathering and data exfiltration.

The malicious campaign was noticed on two different waves, the first one on June 7 and used a link to divert victims to a .NET-written malware equipped with spyware capabilities, while the second one on June 14 and crooks used different domains hosting their malware and C&C servers.

Both attacks leveraged spam emails that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.

Once infected, the malicious code gathers information on the victims, including the list of installed antivirus and firewall applications.

“Based on jRAT-wrapper’s import header, it appears to have the capability to check for the infected system’s internet access.” continues the analysis. “It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions.”

Considering that the main infection vector for the Adwind RAT are spam messages, users have to be suspicious of unsolicited messages containing documents or links. Never open a document or click on links inside those emails if you haven’t verified the source.

As usual, keep your systems and antivirus products up-to-date.

Pierluigi Paganini 

(Security Affairs – Adwind RAT, cybercrime)

[adrotate banner=”13″]

[adrotate banner=”5″]