Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky

A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.

A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.

The attacks were spread across industries, Kaspersky says, though the retail and distribution sector was hit the most (20.1%), followed by architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%), and consulting (5%).

The Adwind backdoor has been around for several years, and Kaspersky said last year that it managed to infect over 443,000 users between 2013 and 2016. Also known as AlienSpy, Frutas, Unrecom, Sockrat and jRAT, the malware has been associated with numerous attacks, with the AlienSpy variant discontinued in April 2015 after a report detailing it was published.

The threat is openly distributed in the form of a paid service, where any customer can use the malicious program by paying a fee. According to Kaspersky, this is the main feature that distinguishes the Adwind RAT from other commercial malware.

Written in Java, the malware isn’t restricted on a single platform, but can be used to target Windows, Linux, and macOS, as well as other platforms that run Java, including Android. With the help of this threat, cybercriminals can log keystrokes, steal passwords and other data from web forms, capture screenshots, record audio and video, transfer files, and steal a great deal of confidential information as well.

As part of the newly detailed campaign, the RAT is being distributed via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), purporting that payment advice has been included in an attachment. Although detailed only now, the activity of this email domain has been tracked back to 2013, Kaspersky Lab researchers say.

Once the victim opens the attachment, however, a malware sample is installed on the machine. The attachment comes in the form of a .ZIP file that includes a JAR inside. When the user opens it, the malware self-installs, after which it attempts to establish communication with the command and control (C&C) server.

Once a computer has been compromised with the Adwind backdoor, the malware’s operators have virtually complete control over it. This also allows them to immediately start stealing confidential information from the machine.

Advertisement. Scroll to continue reading.

While analyzing the threat, Kaspersky has established that more than 40% of the targeted users live in ten countries: Malaysia, UK, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico, and Russia.

Kaspersky Lab researchers also suggest that the cybercriminals behind these attacks might be using industry-specific mailing list to target their attacks, considering the fact that a high proportion of their victims are businesses. “Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology,” the researchers also say.

Related: Cross-Platform Backdoor Adwind Hits 443,000 Users: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.