Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT

Security experts at Trend Micro have spotted spam campaigns delivering XTRAT and DUNIHI Backdoors and Loki malware bundled with the Adwind RAT.

Malware researchers at Trend Micro have uncovered a spam campaign that delivers the infamous Adwind RAT (aka jRAT) alongside the XTRAT backdoor (aka XtremeRAT) and the Loki info stealer. In a separate Adwind RAT spam campaign, the researchers observed the use of the VBScript with backdoor tracked as DUNIHI.

Both campaigns abuse the legitimate free dynamic DNS server hopto[.]org.

“Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org.” reads the analysis published by Trend Micro. “The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.”

The experts detected 5,535 unique infections of Adwind between January 1 and April 17, most of them in the US, Japan, Australia, Italy, Taiwan, Germany, and the U.K.

Crooks behind the Adwind, XTRAT, and Loki used weaponized RTF document that triggers the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki bundles.

Below the attack chain:

“The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Notably, Adwind and XTRAT connect to the same C&C server: junpio70[.]hopto[.]org.” continues the analysis.

Adwind is a cross-platform Java backdoor that has been observed in the wild since 2013. XTRAT shares similar capabilities with Adwind, it also implements features to control both device camera and microphone.

Loki was known as a password and cryptocurrency wallet stealer well-known in the cybercrime ecosystem.

The experts also observed Adwind bundled with DUNIHI backdoor, attackers used a JAR dropper that ships a VBS dropper delivered via spam mail. The VBS dropper download and execute both DUNIHI and Adwind.

DUNIHi connects to pm2bitcoin[.]com:62103, while the Adwind/jRAT variant contacts the badnulls[.]hopto[.]org:3011.

Experts suggest a multilayered approach to security when dealing with a cross-platform threat like Adwind.

“IT administrators should regularly keep networks and systems patched and updated.”

“Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network.” concluded Trend Micro.

“Businesses should commit to training employees, review company policies, and develop good security habits.” 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Adwind RAT, cybercrime)

[adrotate banner=”13″]

[adrotate banner=”5″]