Malware

Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems

Researchers from ReversingLabs and Cisco Talos have uncovered a new Adwind campaign that targets Linux, Windows, and macOS systems.

Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems.

Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and leverage the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.

The campaign was uncovered at the end of August, attackers mainly targeted users in Turkey (75%), experts noticed that other victims were located in Germany, but likely members of the Turkish community.

The spam campaign uncovered by the experts leveraged on malicious documents that were written in Turkish.

“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” reads the analysis published by Cisco Talos.

The experts observed at least two different droppers in this campaign that use both the .csv or .xlt files that are opened by default by Microsoft Excel.

Both of them would leverage a new variant of the DDE code injection attack, although this technique is well-known, the variant used in this campaign is still undetected.

The dropper file can have more than 30 different file extensions some of them are not opened by Excel by default, however, the attackers can use a script launching Excel with a file with one of these extensions as a parameter.

“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” continues the report.

Excel will display differed warnings to the user regarding the execution of code, the first related to the execution of a corrupted file, the second one notifies the user that the document will execute the application “CMD.exe.”

If the user accepts all the warnings, the application is executed on the system.

Talos pointed out that attackers aim at injecting code that would create and execute a Visual Basic Script that uses the bitasdmin Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.

The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7.

The final payload is a sample the Adwind RAT v3.0.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.” Talos concludes.

“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” 

Further details, including IoCs, are reported in the analysis published by Talos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Adwind RAT, malware-as-a-service)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.