Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Adwind Malware Used in Attacks Against U.S. Petroleum Firms

Attackers using the Adwind remote access Trojan (RAT) are targeting petroleum firms in the United States in a recent campaign, researchers from Netskope report.

Attackers using the Adwind remote access Trojan (RAT) are targeting petroleum firms in the United States in a recent campaign, researchers from Netskope report.

Samples observed in the attacks are relatively new, but the functionality of the RAT has remained consistent with previously detailed campaigns.

The malware does attempt to evade detection by means of multi-layer obfuscation (multiple embedded JAR archives), and after it has infected a machine, it modifies the system registry to achieve persistence, performs process injection, attempts to kill security services, and then proceeds to steal sensitive data. 

The new campaign is serving Adwind from the network of Australian Internet service provider Westnet. Netskope’s researchers believe that either the attacker is a Westnet user, or they compromised one or more Westnet accounts (the same RAT is being hosted by multiple Westnet users). 

The attackers used multiple file extensions, such as *.png.jar.jar, in an attempt to hide the actual file-type from the target user. As soon as the payload is executed, multiple levels of JAR extractions occur. 

When executed, the dropped JAR payload creates a Java process and copies itself into the %User% directory. Next, the Java executes the copy, creates a registry entry for persistence, and creates WMI scripts in %temp% and launches them to disable firewall and antivirus services.

The dropped JAR decrypts an embedded object to construct the Step 3 JAR, writes it to the %temp% directory and executes it as a new Java thread. The Step 3 JAR then loads the JRAT class, which is responsible for loading and linking the DLL that contains the major RAT functionality. 

The JRAT class, which hides functionality under multiple levels of obfuscation, attempts to connect to the command and control (C&C) server at 185[.]205[.]210[.]48. 

Advertisement. Scroll to continue reading.

Adwind is a cross-platform RAT that targets Windows, Linux, and Mac. The malware can capture webcam images, scan the hard-drive for files based on extensions defined in RAT’s config, inject into known legitimate windows processes, monitor system status, and exfiltrate stolen data to the C&C, in encrypted form. 

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” Netskope notes. 

Related: New Adwind Campaign Targets Linux, Windows, and macOS

Related: Ongoing Adwind Phishing Campaign Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.