Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.
The attacks featured the Adwind 3.0 RAT and employed a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel, ReversingLabs and Cisco Talos security researchers discovered.
The campaign started on August 26 and mainly targeted users in Turkey, with 75% of the observed requests made from that country. Some of the victims were located in Germany, likely members of the Turkish community there. The spam emails carrying malicious documents were written in Turkish.
The attackers used at least two different droppers for their malicious payload, in the form of CSV and XLT files. Both of them, however, would leverage a new variant of the DDE code injection attack, one that remained undetected until now.
In a report published Monday, Talos’ researchers explain that the dropper can actually have one of over 30 file extensions. While not all of them would be opened in Microsoft Excel by default, there are scripts that would start Excel with non-default files as well, making them viable in this attack scenario.
“Because the beginning of the file can contains anything, there is no header to be checked, which might confuse the antivirus additionally engines could expect ASCII characters for the CSV format. Other formats may be considered corrupted has they might not follow the expected format,” Talos reveals.
Excel also displays warnings to the user regarding the execution of code. One warning informs that the file, which is not a real XLT document, might be corrupted, asking the user if they are sure they want to open it. Two other warnings tell the user that the document will execute system applications.
If the user accepts all three warnings, the calculator application is executed on the system. The purpose of the campaign, however, is to inject code that would create and execute a Visual Basic Script that uses bitasdmin, a Microsoft tool to download or upload jobs and monitor their progress, to fetch the final payload.
The payload is a Java archive file containing code packed with the demo version of Allatori Obfuscator version 4.7.
The packed malware is a version of the Adwind RAT v3.0, configured to achieve persistence on all three major desktop platforms: Windows, Linux, and macOS. The persistence mechanism, however, is different for each platform.
Employed by several malicious groups for their nefarious purposes, the Trojan provides operators with the ability to execute all kind of commands on the victim machines, to log keystrokes, take screenshots, take pictures, and transfer files.
“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations. This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” Talos concludes.
Related: Ongoing Adwind Phishing Campaign Discovered
Related: Microsoft Issues Advisory for Mitigating DDE Attacks