Attackers using the Adwind remote access Trojan (RAT) are targeting petroleum firms in the United States in a recent campaign, researchers from Netskope report.
Samples observed in the attacks are relatively new, but the functionality of the RAT has remained consistent with previously detailed campaigns.
The malware does attempt to evade detection by means of multi-layer obfuscation (multiple embedded JAR archives), and after it has infected a machine, it modifies the system registry to achieve persistence, performs process injection, attempts to kill security services, and then proceeds to steal sensitive data.
The new campaign is serving Adwind from the network of Australian Internet service provider Westnet. Netskope’s researchers believe that either the attacker is a Westnet user, or they compromised one or more Westnet accounts (the same RAT is being hosted by multiple Westnet users).
The attackers used multiple file extensions, such as *.png.jar.jar, in an attempt to hide the actual file-type from the target user. As soon as the payload is executed, multiple levels of JAR extractions occur.
When executed, the dropped JAR payload creates a Java process and copies itself into the %User% directory. Next, the Java executes the copy, creates a registry entry for persistence, and creates WMI scripts in %temp% and launches them to disable firewall and antivirus services.
The dropped JAR decrypts an embedded object to construct the Step 3 JAR, writes it to the %temp% directory and executes it as a new Java thread. The Step 3 JAR then loads the JRAT class, which is responsible for loading and linking the DLL that contains the major RAT functionality.
The JRAT class, which hides functionality under multiple levels of obfuscation, attempts to connect to the command and control (C&C) server at 185[.]205[.]210[.]48.
Adwind is a cross-platform RAT that targets Windows, Linux, and Mac. The malware can capture webcam images, scan the hard-drive for files based on extensions defined in RAT’s config, inject into known legitimate windows processes, monitor system status, and exfiltrate stolen data to the C&C, in encrypted form.
“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection,” Netskope notes.
Related: New Adwind Campaign Targets Linux, Windows, and macOS