Adwind: The World Research and Analysis Team of Kaspersky Lab published an extensive research on the Remote Access Tool (RAT) Adwind, a multi-malicious malware that affects multiple platforms. This program is also known as AlienSpy, Fruit, Unrecom, Sockrat, JSocket and jRat and is distributed through a platform "Malware-as-a-Service".
According to research findings, conducted between 2013 and 2016, different versions of Malware Adwind have been used in attacks by at least 443.000 users, businesses and non-commercial organizations around the world. The platform and the malicious software are still active.
At the end of 2015, Kaspersky Lab researchers learned about an unusual malware program that was discovered during a targeted attack on a bank in Singapore. A malicious JAR file was attached to a spear-phishing email sent to an employee of the bank. The rich capabilities of malware, including the ability to run on multiple platforms, and the fact that it was not detected by any antivirus solution, immediately caught the attention of researchers.
Adwind RAT
It turned out that the organization was attacked by Adwind RAT, a backdoor program that was available for purchase and "written" entirely in Java language, elements that make it capable of influencing and operating on multiple platforms. This program can run on platforms running Windows, OSX, Linux and Android, providing features for remote desktop control, data collection, data mining, and more.
If the target user opens the attached JAR file, the malware installs itself and tries to communicate with the command and control server. The list of malware features includes options for:
- Keystroke interception
- Tracking cached passwords and data from online formats
- Download screenshots
- Take photos and record videos via webcam
- Microphone recording
- Transferring folders
- Collecting general information about system and user
- Handwriting of keys for electronic money purses
- Manage SMS messages (for Android platforms)
- Theft of VPN certificates
Although it is mainly used by aggressively acting aggressors and distributed to massive spam campaigns, there are cases where Adwind was used in targeted attacks. In August of 2015, references to Adwind were found in publications which concerned a case of digital espionage against an Argentine prosecutor, who was finally found dead in January of 2015. The incident against the bank in Singapore was another example of a targeted attack. A deeper look at events related to the use of Adwind RAT showed that these targeted attacks were not the only ones.
The goals
During the investigation, Kaspersky Lab experts analyzed nearly 200 examples of spear-phishing attacks, organized by unknown criminals, with the aim of spreading Adwind malware. They were also able to identify the industries for which most of the targets worked. The list includes companies from industry, financial services, engineering and design, retail, government agencies, shipping companies, telecommunications providers, software companies, educational organizations, food, manufacturing and healthcare companies, media and business energy.
Based on information from the Kaspersky Security Network, 200 examples of spear-phishing attacks from August 2015 to January 2016 showed that more than 68.000 users were tampering with Malware Adwind RAT.
During the same period, the geographical distribution of the attacked users registered in the KSN shows that almost half of them (49%) lived in the following 10 countries: United Arab Emirates, Germany, India, USA, Italy, Russia, Vietnam, Hong Kong, Turkey and Taiwan.
Based on the profile of the recognized goals, Kaspersky Lab researchers believe that Adwind customers are in the following categories: fraudsters wanting to go to the next level (using malware for more advanced scams), unfair media , digital mercenaries (spies who rent out their services) and individuals who want to spy on people they know.
Threat-as-a-Service
One of the main features that Adwind RAT distinguishes from other "commercial" malware programs is that it is distributed openly in the form of a paid service where the "customer" pays a fee in exchange for using the malicious program. Based on a survey of user activity in the internal message board and some other observations, Kaspersky Lab researchers estimate that there were approximately 1.800 users in the system by the end of 2015. This is one of the largest malware platforms to date.
"The Adwind platform, in its current state, significantly reduces the minimum level of professional knowledge needed to enter the field of digital crime. What we can say, based on our investigation of the attack on the bank in Singapore, is that the criminal behind it has nothing to do with a "professional" hacker. We also believe that most of Adwind's "customers" have the same level of knowledge of Computer Science up and down. And this is a worrying trend, said Aleksandr Gostev, Chief Security Expert of Kaspersky Lab.
"Despite multiple reports about the different generations of this tool, which have been published by various security solutions providers in recent years, the platform is still active and used by criminals of all kinds. We conducted this research to draw the attention of the security community and the law enforcement authorities to take the necessary steps to stop the action of this platform completely, said Vitaly Kamluk, Director of Kaspersky Labia's Asia Pacific Research and Analysis Worldwide Group.
Kaspersky Lab has submitted its findings for the Adwind platform to the law enforcement authorities.
To protect users and organizations from this threat, Kaspersky Lab encourages businesses to review the feasibility of using a Java platform and block it for all unauthorized sources.
More information on the "Malware-as-a-Service" Adwind Platform is available on the site Securelist.com.
More information on how investigations are conducted on advanced targeted attacks are available on Kaspersky Lab's videos YouTube.
More information about digital espionage companies can be found on the site https://apt.securelist.com/.