Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Adwind Campaign Targets Linux, Windows, and macOS

Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.

Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.

The attacks featured the Adwind 3.0 RAT and employed a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel, ReversingLabs and Cisco Talos security researchers discovered.

The campaign started on August 26 and mainly targeted users in Turkey, with 75% of the observed requests made from that country. Some of the victims were located in Germany, likely members of the Turkish community there. The spam emails carrying malicious documents were written in Turkish.

The attackers used at least two different droppers for their malicious payload, in the form of CSV and XLT files. Both of them, however, would leverage a new variant of the DDE code injection attack, one that remained undetected until now.

In a report published Monday, Talos’ researchers explain that the dropper can actually have one of over 30 file extensions. While not all of them would be opened in Microsoft Excel by default, there are scripts that would start Excel with non-default files as well, making them viable in this attack scenario.

“Because the beginning of the file can contains anything, there is no header to be checked, which might confuse the antivirus additionally engines could expect ASCII characters for the CSV format. Other formats may be considered corrupted has they might not follow the expected format,” Talos reveals.

Excel also displays warnings to the user regarding the execution of code. One warning informs that the file, which is not a real XLT document, might be corrupted, asking the user if they are sure they want to open it. Two other warnings tell the user that the document will execute system applications.

Advertisement. Scroll to continue reading.

If the user accepts all three warnings, the calculator application is executed on the system. The purpose of the campaign, however, is to inject code that would create and execute a Visual Basic Script that uses bitasdmin, a Microsoft tool to download or upload jobs and monitor their progress, to fetch the final payload.

The payload is a Java archive file containing code packed with the demo version of Allatori Obfuscator version 4.7.

The packed malware is a version of the Adwind RAT v3.0, configured to achieve persistence on all three major desktop platforms: Windows, Linux, and macOS. The persistence mechanism, however, is different for each platform.

Employed by several malicious groups for their nefarious purposes, the Trojan provides operators with the ability to execute all kind of commands on the victim machines, to log keystrokes, take screenshots, take pictures, and transfer files.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations. This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” Talos concludes.

Related: Ongoing Adwind Phishing Campaign Discovered

Related: Microsoft Issues Advisory for Mitigating DDE Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...