Security Experts:

Ongoing Adwind Phishing Campaign Discovered

A new phishing campaign delivering the Jsocket variant of Adwind (also known as AlienSpy) was detected in October, and is ongoing. Adwind and its variants have been around since at least 2012. It is a cross-platform backdoor able to install additional malware, steal information, log keystrokes, capture screenshots, take video and audio recordings, and update its own configuration.

According to Kaspersky Lab's virus definition, "it is distributed openly in the form of a paid service, where the "customer" pays a fee in return for use of the malicious program. There were around 1,800 users of the system by the end of 2015. This makes it one of the biggest malware platforms in existence today."

The current campaign was detected by KnowBe4, a security awareness firm, and reported in a blog by CEO Stu Sjowerman posted today. KnowBe4 provides users with a phish alert button that notifies both the company's security team and KnowBe4 when a suspicious email is received.

"In early October we noticed an uptick in the number of phishing emails reported by customers that were sporting .JAR (Java) attachments -- a hallmark of Adwind," writes Sjowerman. There is no indication of the size of this new campaign, which is unsurprising since KnowBe4's awareness comes primarily from those of its own customers that have installed its phish alert button.

However, since Adwind is sold as a service, it can at any time be delivered as a new bulk campaign or even by multiple cybercriminals using different customizations with different functionalities. In February 2016, Kaspersky Lab estimated that approximately 443,000 targets had been hit with Adwind by the end of 2015. 

In July 2017, Trend Micro noted an Adwind campaign that started with 5,286 detections in January and grew to 117,649 detections in June -- with a 107% growth between May and June. If this pattern repeats, what is currently noted by KnowBe4 as "an uptick in the number of phishing emails reported by customers," could be the beginning of a major new Adwind campaign.

"All the Adwind phishes in this upsurge," comments Sjowerman, "used Subject: lines and social engineering schemes centered on everyday business documents and related forms: invoices, purchase orders, payment instructions, contracts, and RFQs (requests for quotations)." The campaign is apparently targeting businesses rather than consumers. This is very similar to an Adwind alert issued by McAfee in December 2015, which included Subject lines such as "credit note for outstanding payment of Invoice", "PO#939423" and "Re: Payment/TR COPY-Urgent".

KnowBe4 provides two sample phishing emails. One includes the payload in a .JAR file. In this instance, Outlook blocks access to the attachment as being 'potentially unsafe'. In the second example, the payload is contained in a zip file, and is not blocked by Outlook. KnowBe4 doesn't comment on whether this difference, together with stylistic differences between the two email bodies, indicates that multiple groups are sending out Adwind phishes.

Sjowerman is particularly concerned about the ability of anti-virus defenses to recognize and block Adwind. "Although we can say that anti-virus engine detections appear to have improved with time, they are still not at a level that would inspire confidence, with the samples we submitted [to VirusTotal] being picked up by only 16-24 engines (out of 60 total) -- roughly 26%-40% of tested engines -- even weeks after their original appearance in the wild."

He accepts that VirusTotal does not accurately reflect the true performance of an AV product. "It is worth noting," he adds, "that most endpoint anti-virus products now incorporate heuristics-driven behavioral detection capabilities that allow them to provide protection beyond their more traditional, file-focused core engines."

His concern, however, is over the extent of anti-detection capabilities built into Adwind. These include sandbox detection; detection, disabling and killing of various antivirus and security tools; TLS-protected command-and-control; and anti-reverse engineering/debugging protection.

"Many of these [antivirus] behavioral protection schemes intervene only after malicious files land on the file system and execute... And given that Adwind itself sports extremely aggressive tools to detect, thwart, and kill all manner of security tools, the best approach to handling an advanced threat like Adwind is to prevent it from being downloaded and executed in the first place."

In short, the best prevention for Adwind is the human firewall of user awareness.

KnowBe4 raised $30 million in Series B financing led by Goldman Sachs Growth Equity in October 2017.

Related: Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky

Related: Consumers, Enterprises Targeted With Cross-Platform AlienSpy RAT

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.