Security Experts:

Connect with us

Hi, what are you looking for?



Adwind Malware Used in Attacks Against U.S. Petroleum Firms

Attackers using the Adwind remote access Trojan (RAT) are targeting petroleum firms in the United States in a recent campaign, researchers from Netskope report.

Attackers using the Adwind remote access Trojan (RAT) are targeting petroleum firms in the United States in a recent campaign, researchers from Netskope report.

Samples observed in the attacks are relatively new, but the functionality of the RAT has remained consistent with previously detailed campaigns.

The malware does attempt to evade detection by means of multi-layer obfuscation (multiple embedded JAR archives), and after it has infected a machine, it modifies the system registry to achieve persistence, performs process injection, attempts to kill security services, and then proceeds to steal sensitive data. 

The new campaign is serving Adwind from the network of Australian Internet service provider Westnet. Netskope’s researchers believe that either the attacker is a Westnet user, or they compromised one or more Westnet accounts (the same RAT is being hosted by multiple Westnet users). 

The attackers used multiple file extensions, such as *.png.jar.jar, in an attempt to hide the actual file-type from the target user. As soon as the payload is executed, multiple levels of JAR extractions occur. 

When executed, the dropped JAR payload creates a Java process and copies itself into the %User% directory. Next, the Java executes the copy, creates a registry entry for persistence, and creates WMI scripts in %temp% and launches them to disable firewall and antivirus services.

The dropped JAR decrypts an embedded object to construct the Step 3 JAR, writes it to the %temp% directory and executes it as a new Java thread. The Step 3 JAR then loads the JRAT class, which is responsible for loading and linking the DLL that contains the major RAT functionality. 

The JRAT class, which hides functionality under multiple levels of obfuscation, attempts to connect to the command and control (C&C) server at 185[.]205[.]210[.]48. 

Adwind is a cross-platform RAT that targets Windows, Linux, and Mac. The malware can capture webcam images, scan the hard-drive for files based on extensions defined in RAT’s config, inject into known legitimate windows processes, monitor system status, and exfiltrate stolen data to the C&C, in encrypted form. 

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” Netskope notes. 

Related: New Adwind Campaign Targets Linux, Windows, and macOS

Related: Ongoing Adwind Phishing Campaign Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.