Malware News New Adwind RAT Campaign with Zero AV Detection Targets Businesses in Denmark

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Danish cyber-security firm Heimdal Security has detected a wave of spam emails delivering malicious attachments laced with versions of the Adwind RAT (Remote Access Trojan).

The campaign took place over the weekend, and according to Heimdal Security experts, it only targeted Danish companies.

Regardless of its initial scope, all spam emails were written in English, so an expansion to other countries may not take more than the push of a button somewhere in the crook's control panel.

Infection occurred via a Java file attachment
Heimdal says the spam emails came with a file attachment named Doc-[Number].jar. A quick scan on VirusTotal reveals that no antivirus engines were able to detect the file as malicious, even if it was hiding the Adwind RAT, a four-year-old malware family.

Adwind first appeared on the market bearing the name of Frutas RAT (January 2012) and rebranded several times as Unrecom RAT (February 2014), AlienSpy (October 2014), and most recently JSocket RAT (June 2015). The majority of security firms still call it Adwind, the name under which it made the most casualties.

A Kaspersky report released in February 2016, after authorities managed to shut down the crook's operation, revealed that the group behind this malware sold their toolkit to 1,800 other criminals, who then infected over 443,000 victims.

Crooks were after sensitive business information
Crooks were delivering their malware in order to infect computers belonging to Danish companies.

The Adwind RAT would then open a backdoor on these infected systems and allow the crooks to take over devices, search for sensitive information and then exfiltrate it via various channels.

All computers were also added to a global botnet, which the malware's operator could have used to send spam or launch DDoS attacks if they wanted. Heimdal's team detected over eleven C&C servers used in this latest campaign.

"Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike," Heimdal's Andra Zaharia explains.

"Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them."

Campaign still active, new Adwind RAT version spotted
"All the domains in the alert are still active, as they are the newest ones involved in the attacks," Zaharia tells Softpedia. "The malicious C&C servers using various dynamic DNS service providers are currently being documented to be reported to all concerned parties."

"The campaign is ongoing at the moment, so we recommend companies focus their resources on proactive security measures. As always, employee education is crucial, from our perspective," she adds.

"The Adwind version spotted in these attacks is a slightly modified one as compared to previous variants of this RAT," Zaharia also says. "It features sandbox evasion and various anti-debugger checks. So, by all appearances, it is a new version, but it doesn't have a distinctive name yet," referring to the multiple names the Adwind RAT had used in the past years.

UPDATE [July 5, 2016]: Added further comments regarding the attack from Mrs. Zaharia.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

It's interesting to see that now (a the moment I made this post), after one day and about 5 hours from the 0/52 result on VirusTotal, only 11/53 AV tools seem to detect this Malware. This scares o_O, or not :rolleyes:
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top