A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRAT, AlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis. 

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]