Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky

A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.

A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.

The attacks were spread across industries, Kaspersky says, though the retail and distribution sector was hit the most (20.1%), followed by architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%), and consulting (5%).

The Adwind backdoor has been around for several years, and Kaspersky said last year that it managed to infect over 443,000 users between 2013 and 2016. Also known as AlienSpy, Frutas, Unrecom, Sockrat and jRAT, the malware has been associated with numerous attacks, with the AlienSpy variant discontinued in April 2015 after a report detailing it was published.

The threat is openly distributed in the form of a paid service, where any customer can use the malicious program by paying a fee. According to Kaspersky, this is the main feature that distinguishes the Adwind RAT from other commercial malware.

Written in Java, the malware isn’t restricted on a single platform, but can be used to target Windows, Linux, and macOS, as well as other platforms that run Java, including Android. With the help of this threat, cybercriminals can log keystrokes, steal passwords and other data from web forms, capture screenshots, record audio and video, transfer files, and steal a great deal of confidential information as well.

As part of the newly detailed campaign, the RAT is being distributed via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), purporting that payment advice has been included in an attachment. Although detailed only now, the activity of this email domain has been tracked back to 2013, Kaspersky Lab researchers say.

Once the victim opens the attachment, however, a malware sample is installed on the machine. The attachment comes in the form of a .ZIP file that includes a JAR inside. When the user opens it, the malware self-installs, after which it attempts to establish communication with the command and control (C&C) server.

Once a computer has been compromised with the Adwind backdoor, the malware’s operators have virtually complete control over it. This also allows them to immediately start stealing confidential information from the machine.

Advertisement. Scroll to continue reading.

While analyzing the threat, Kaspersky has established that more than 40% of the targeted users live in ten countries: Malaysia, UK, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico, and Russia.

Kaspersky Lab researchers also suggest that the cybercriminals behind these attacks might be using industry-specific mailing list to target their attacks, considering the fact that a high proportion of their victims are businesses. “Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology,” the researchers also say.

Related: Cross-Platform Backdoor Adwind Hits 443,000 Users: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.