Remote Access Trojan(RAT) Called “Adwind”(Adwind/jRAT) Targeting Aerospace Industries to steal credentials, record and harvest keystrokes, take pictures or screenshots, film and retrieve videos, and exfiltrate data.
Its a Cross Platform Remote Access Trojan which Detect as JAVA_ADWIND and Malware Authors developed this Malware to run on any machine installed with Java, including Windows, Mac OSX, Linux, and Android.
This RAT Mainly Targeting Aerospace industries and infected countries including Switzerland, Ukraine, Austria and US listed as Most Affected Countries.
Infection Chain of Adwind
Adwind RAT used to spread via spam campaign contains Malicious URL and distributing the malware increased by 107% since the beginning of 2017.
Trend Micro Researchers Detected this RAT as JAVA_ADWIND and its has Many sophisticated aliases functions including jRAT, Universal Remote Control Multi-Platform (UNRECOM), AlienSpy, Frutas, and JSocket.
Infected Chain (Source : Trend Micro)
Adwind Detected by two waves, First one contains malware equipped with spyware capabilities and Divert the Victims using a different URL which has been identified on June 7, 2017 by Trend Mircro.
Second one used different domains that hosted their malware and command and control (C&C) servers which has been identified on June 14, 2017.
“The malicious URL will drop a Program Information file (PIF). PIFs contain information on how Windows can run MS-DOS applications, and can be launched normally like any executable (EXE). The file is written in .NET and serves as a downloader. The process spawned by the file kicks off the infection chain by first modifying the system certificate.”
Discovered Malicious URL Contains several Phishing and spam email-related HTML files which leads to victims to download the malicious PIF file.
Downloader contains Wrappers which is working for RATs that can helps to all additional routines without sacrificing computational resources and that will connect to C&C server and drop the Adwind/jRAT in runtime .
While on initial stage of infection ,it will check the systems internet access .
“The end of the process is a particularly useful feature in Java that enables developers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cyber criminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions.”
It also targeting Banks and turned infected machines into botnets.