What Is It?

A new campaign utilizing the Adwind RAT (Remote Access Trojan) and specifically targeting organizations within the U.S. petroleum industry has been discovered by researchers at Netskope. The Adwind RAT is also known as AlienSpy, Frutas, jRAT, JSocket and Sockrat and is written in Java, allowing it to execute on Windows, Linux and Mac systems.

Adwind is available for sale by its authors on the dark web via a malware-as-a-service (MaaS) offering, where attackers pay a fee in order to use the malware in their malicious campaigns. Adwind has been available for a number of years and reports state there were approximately 1,800 unique customers at the end of 2015.

Adwind contains functionality expected of a RAT, including the ability to log keystrokes, steal credentials stored on the system or entered on web pages, take screenshots or audio and video, manipulate files, steal cryptocurrency keys and VPN certificates and download and execute other malware. Netskope found that the attackers behind this campaign were using Adwind as a reconnaissance and exfiltration tool to acquire credentials, documents and other files, such as SSH keys to allow the attackers to move laterally through the network.

The Adwind malware itself isn’t particularly sophisticated at a code level and Netskope believes the variants in this campaign weren’t using the latest versions. However, what makes this campaign noteworthy is the use of multi-level obfuscation and encryption as an attempt to evade detection by legacy security products, including anti-virus. The initial malicious Java JAR file infects systems at targeted organizations as an attachment or a link in a malicious spam email. This JAR file copies itself to the user’s directory and runs the copy, which then decrypts and executes the next stage, which in turn then creates the final JAR payload.

Netskope found the author’s time and effort was well spent creating the multi-level obfuscation and encryption. When the samples were initially scanned by the VirusTotal service, the initial sample was only detected by five products, whereas the final, unobfuscated sample was detected by 49. Clearly their techniques were successful at evading detection by legacy anti-virus products.

After the fact, these products can now create signatures to detect this specific initial sample, however, BluVector Cortex was capable of detecting both these samples months prior to them even being created.

How Does It Propagate?

The Adwind malware does not contain the necessary code to self-propagate. Malicious spam emails containing a link or attachment are used to compromise systems at targeted organizations.

When/How Did BluVector Detect It?

Both the initial and final malicious JAR samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown these samples would have been detected for an average of 30 months prior to their release.