Adwind: The World Research and Analysis Team of Kaspersky Lab published an extensive research on the Remote Access Tool (RAT) Adwind, a multi-malicious malware that affects multiple platforms. This program is also known as AlienSpy, Fruits, Unrecom, Sockrat, JSocket and jRat and is distributed through a platform "Malware-as-a-Service".
According to research findings, conducted between 2013 and 2016, different versions of Malware Adwind have been used in attacks by at least 443.000 users, businesses and non-commercial organizations around the world. The platform and the malicious software are still active. 
In late 2015, Kaspersky Lab researchers became aware of an unusual malware that had been discovered during an attempted targeted attack against a bank in Singapore. A malicious one archive JAR was attached to a spear-phishing email sent to a bank employee. The malware's rich capabilities, including the ability to "run" on multiple platforms, as well as the fact that it was not detected by any antivirus solution, immediately caught the attention of researchers.
Adwind RAT
It turned out that the organization was attacked by Adwind RAT, a backdoor program that was available for purchase and "written" entirely in Java language, elements that make it capable of influencing and operating on multiple platforms. This program can run on platforms running Windows, OSX, Linux and Android, providing features for remote desktop control, data collection, data mining, and more.
If the target user opens the attached JAR file, the malware installs itself and tries to communicate with the command and control server. The list of malware features includes options for:
- Keystroke interception
- Tracking cached passwords and data from online formats
- Download screenshots
- Take photos and record videos via webcam
- Microphone recording
- Transferring folders
- Συλλογή γενικών πληροφοριών για system και χρήστη
- Handwriting of keys for electronic money purses
- Manage SMS messages (for Android platforms)
- Theft of VPN certificates
Although it is mainly used by aggressively acting aggressors and distributed to massive spam campaigns, there are cases where Adwind was used in targeted attacks. In August of 2015, references to Adwind were found in publications which concerned a case of digital espionage against an Argentine prosecutor, who was finally found dead in January of 2015. The incident against the bank in Singapore was another example of a targeted attack. A deeper look at events related to the use of Adwind RAT showed that these targeted attacks were not the only ones.
The goals
During the investigation, Kaspersky Lab experts analyzed nearly 200 examples of spear-phishing attacks, organized by unknown criminals, with the aim of spreading Adwind malware. They were also able to identify the industries for which most of the targets worked. The list includes companies from industry, financial services, engineering and design, retail, government agencies, shipping companies, telecommunications providers, software companies, educational organizations, food, manufacturing and healthcare companies, media and business energy.
Based on information from the Kaspersky Security Network, 200 examples of spear-phishing attacks from August 2015 to January 2016 showed that more than 68.000 users were tampering with Malware Adwind RAT.
During the same period, the geographical distribution of the attacked users registered in the KSN shows that almost half of them (49%) lived in the following 10 countries: United Arab Emirates, Germany, India, USA, Italy, Russia, Vietnam, Hong Kong, Turkey and Taiwan.
Based on the profiles of the identified targets, Kaspersky Lab researchers believe that Adwind platform customers fall into the following categories: fraudsters who want to go to the next level (using malware for more advanced fraud), competitors using unfair means , digital salarytaxes (spies who "hire" their services) and private individuals who want to spy on people they know.
Threat-as-a-Service
One of the main features that Adwind RAT distinguishes from other "commercial" malware programs is that it is distributed openly in the form of a paid service where the "customer" pays a fee in exchange for using the malicious program. Based on a survey of user activity in the internal message board and some other observations, Kaspersky Lab researchers estimate that there were approximately 1.800 users in the system by the end of 2015. This is one of the largest malware platforms to date.
"The Adwind platform, in its current state, significantly reduces the minimum level of professional knowledge needed to enter the field of digital crime. What we can say, based on our investigation of the attack on the bank in Singapore, is that the criminal behind it has nothing to do with a "professional" hacker. We also believe that most of Adwind's "customers" have the same level of knowledge of Computer Science up and down. And this is a worrying trend, said Aleksandr Gostev, Chief Security Expert of Kaspersky Lab.
“Despite the multiple references to the different generations of this tooly, which have been published by various security solution providers in recent years, the platform is still active and used by criminals of all kinds. We conducted this investigation to bring the attention of the security community and law enforcement authorities to take the necessary actions that will lead to the complete shutdown of this platform." said Vitaly Kamluk, Director of Kaspersky Labia's Asia Pacific Research and Analysis Worldwide Group.
Kaspersky Lab has submitted its findings for the Adwind platform to the law enforcement authorities.
For the protection users and organizations from this threat, Kaspersky Lab encourages enterprises to review the feasibility of using a Java platform and block it for all unauthorized sources.
More information on the "Malware-as-a-Service" Adwind Platform is available on the site Securelist.com.
More information on how investigations are conducted on advanced targeted attacks are available on Kaspersky Lab's videos YouTube.
More information about digital espionage companies can be found on the site https://apt.securelist.com/.
