Adwind: Malware as a Service hit over 400.000 users and organizations

Adwind: The World Research and Analysis Team of Kaspersky Lab published an extensive research on the Remote Access Tool (RAT) Adwind, a multi-malicious malware that affects multiple platforms. This program is also known as AlienSpy, Fruits, Unrecom, Sockrat, JSocket in the upcoming years, while jRat and is distributed through a platform "Malware-as-a-Service".Kaspersky Lab_Map of Adwind

Σύμφωνα με τα ευρήματα της έρευνας, η οποία πραγματοποιήθηκε μεταξύ και 2016, διαφορετικές εκδόσεις του κακόβουλου προγράμματος Adwind έχουν χρησιμοποιηθεί σε επιθέσεις κατά τουλάχιστον 443.000 χρηστών, επιχειρήσεων και μη εμπορικών οργανισμών ανά τον κόσμο. Η πλατφόρμα και το κακόβουλο λογισμικό είναι ακόμα ενεργά. Kaspersky Lab_Adwind timeline

Στα τέλη του 2015, οι ερευνητές της Kaspersky Lab έλαβαν γνώση για ένα ασυνήθιστο κακόβουλο πρόγραμμα, το οποίο είχε ανακαλυφθεί κατά τη διάρκεια μιας απόπειρας στοχευμένης επίθεσης εναντίον μιας τράπεζας στη Σιγκαπούρη. Ένα κακόβουλο αρχείο JAR ήταν συνημμένο σε ένα spear- email που στάλθηκε σε υπάλληλο της τράπεζας. Οι πλούσιες δυνατότητες του κακόβουλου λογισμικού, συμπεριλαμβανομένης της ικανότητα να «τρέχει» σε πολλαπλές πλατφόρμες, καθώς και το γεγονός ότι δεν εντοπίστηκε από οποιαδήποτε λύση antivirus, τράβηξαν αμέσως την προσοχή των ερευνητών.Kaspersky Lab_Adwind timeline_2

Adwind RAT

It turned out that the organization was attacked by Adwind RAT, a backdoor program that was available for purchase and "written" entirely in Java language, elements that make it capable of influencing and operating on multiple platforms. This program can run on platforms running Windows, OSX, Linux and Android, providing features for remote desktop control, data collection, data mining, and more.

Αν ο χρήστης-στόχος ανοίξει το συνημμένο αρχείο JAR, το κακόβουλο πρόγραμμα αυτο-εγκαθίσταται και προσπαθεί να επικοινωνήσει με τον command and server. Στη λίστα με τις λειτουργίες του κακόβουλου λογισμικού περιλαμβάνονται δυνατότητες για:

  • Keystroke interception
  • Tracking cached passwords and data from online formats
  • Download screenshots
  • Take photos and record videos via webcam
  • Microphone recording
  • Transferring folders
  • Collecting general information about system and user
  • Handwriting of keys for electronic money purses
  • Manage SMS messages (for Android platforms)
  • Theft of VPN certificates

Although it is mainly used by aggressively acting aggressors and distributed to massive spam campaigns, there are cases where Adwind was used in targeted attacks. In August of 2015, references to Adwind were found in publications which concerned a case of digital espionage against an Argentine prosecutor, who was finally found dead in January of 2015. The incident against the bank in Singapore was another example of a targeted attack. A deeper look at events related to the use of Adwind RAT showed that these targeted attacks were not the only ones.

The goals

During the investigation, Kaspersky Lab experts analyzed nearly 200 examples of spear-phishing attacks, organized by unknown criminals, with the aim of spreading Adwind malware. They were also able to identify the industries for which most of the targets worked. The list includes companies from industry, financial services, engineering and design, retail, government agencies, shipping companies, telecommunications providers, software companies, educational organizations, food, manufacturing and healthcare companies, media and business energy.

Based on information from the Kaspersky Security Network, 200 examples of spear-phishing attacks from August 2015 to January 2016 showed that more than 68.000 users were tampering with Malware Adwind RAT.

Κατά την ίδια περίοδο, η γεωγραφική κατανομή των χρηστών που δέχτηκαν επίθεση και έχουν καταχωρηθεί στο KSN, δείχνει ότι σχεδόν οι μισοί από αυτούς (49%) ζούσαν στις ακόλουθες 10 χώρες: Ηνωμένα Αραβικά Εμιράτα, Γερμανία, Ινδία, ΗΠΑ, Ιταλία, Ρωσία, Βιετνάμ, Χονγκ Κονγκ, and Taiwan.

Based on the profile of the recognized goals, Kaspersky Lab researchers believe that Adwind customers are in the following categories: fraudsters wanting to go to the next level (using malware for more advanced scams), unfair media , digital mercenaries (spies who rent out their services) and individuals who want to spy on people they know.


One of the main features that Adwind RAT distinguishes from other "commercial" malware programs is that it is distributed openly in the form of a paid service where the "customer" pays a fee in exchange for using the malicious program. Based on a survey of user activity in the internal message board and some other observations, Kaspersky Lab researchers estimate that there were approximately 1.800 users in the system by the end of 2015. This is one of the largest malware platforms to date.

"The Adwind platform, in its current state, significantly reduces the minimum level of professional knowledge needed to enter the field of digital crime. What we can say, based on our investigation of the attack on the bank in Singapore, is that the criminal behind it has nothing to do with a "professional" hacker. We also believe that most of Adwind's "customers" have the same level of knowledge of Computer Science up and down. And this is a worrying trend, said Aleksandr Gostev, Chief Security Expert of Kaspersky Lab.

"Despite multiple reports about the different generations of this tool, which have been published by various security solutions providers in recent years, the platform is still active and used by criminals of all kinds. We conducted this research to draw the attention of the security community and the law enforcement authorities to take the necessary steps to stop the action of this platform completely, said Vitaly Kamluk, Director of Kaspersky Labia's Asia Pacific Research and Analysis Worldwide Group.

Kaspersky Lab has submitted its findings for the Adwind platform to the law enforcement authorities.

To protect users and organizations from this threat, Kaspersky Lab encourages businesses to review the feasibility of using a Java platform and block it for all unauthorized sources.

More information on the "Malware-as-a-Service" Adwind Platform is available on the site

More information on how investigations are conducted on advanced targeted attacks are available on Kaspersky Lab's videos YouTube.

Περισσότερες πληροφορίες σχετικά με τις επιχειρήσεις ψηφιακής ς, μπορείτε να βρείτε στον ιστότοπο The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).