Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky

A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.

The attacks were spread across industries, Kaspersky says, though the retail and distribution sector was hit the most (20.1%), followed by architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%), and consulting (5%).

The Adwind backdoor has been around for several years, and Kaspersky said last year that it managed to infect over 443,000 users between 2013 and 2016. Also known as AlienSpy, Frutas, Unrecom, Sockrat and jRAT, the malware has been associated with numerous attacks, with the AlienSpy variant discontinued in April 2015 after a report detailing it was published.

The threat is openly distributed in the form of a paid service, where any customer can use the malicious program by paying a fee. According to Kaspersky, this is the main feature that distinguishes the Adwind RAT from other commercial malware.

Written in Java, the malware isn’t restricted on a single platform, but can be used to target Windows, Linux, and macOS, as well as other platforms that run Java, including Android. With the help of this threat, cybercriminals can log keystrokes, steal passwords and other data from web forms, capture screenshots, record audio and video, transfer files, and steal a great deal of confidential information as well.

As part of the newly detailed campaign, the RAT is being distributed via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), purporting that payment advice has been included in an attachment. Although detailed only now, the activity of this email domain has been tracked back to 2013, Kaspersky Lab researchers say.

Once the victim opens the attachment, however, a malware sample is installed on the machine. The attachment comes in the form of a .ZIP file that includes a JAR inside. When the user opens it, the malware self-installs, after which it attempts to establish communication with the command and control (C&C) server.

Once a computer has been compromised with the Adwind backdoor, the malware’s operators have virtually complete control over it. This also allows them to immediately start stealing confidential information from the machine.

While analyzing the threat, Kaspersky has established that more than 40% of the targeted users live in ten countries: Malaysia, UK, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico, and Russia.

Kaspersky Lab researchers also suggest that the cybercriminals behind these attacks might be using industry-specific mailing list to target their attacks, considering the fact that a high proportion of their victims are businesses. “Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology,” the researchers also say.

Related: Cross-Platform Backdoor Adwind Hits 443,000 Users: Kaspersky