Adwind malware-as-a-service platform hits 440,000 users: Kaspersky

09 Feb 2016

1

The Kaspersky Lab Global Research and Analysis Team has published extensive research on the Adwind Remote Access Tool (RAT), a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, and which is distributed through a single malware-as-a-service platform. According to the results of the investigation, conducted between 2013 and 2016, different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organisations around the world. The platform and the malware are still active.

At the end of 2015, Kaspersky Lab researchers became aware of an unusual malware program that had been discovered during an attempted targeted attack against a bank in Singapore. A malicious JAR file was attached to a spear-phishing email received by a targeted employee at the bank. The malware's rich capabilities, including its ability to run on multiple platforms as well as the fact that it was not detected by any antivirus solution, immediately captured the attention of the researchers.

The Adwind RAT
It turned out that the organisation had been attacked with the Adwind RAT, a backdoor available for purchase and written entirely in Java, which makes it cross-platform. It can run on Windows, OS X, Linux and Android platforms providing capabilities for remote desktop control, data gathering, data exfiltration etc.

If the targeted user opens the attached JAR file the malware self-installs and attempts to communicate with the command and control server. The malware's list of functions includes the ability to:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from the webcam
  • record sound from the microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steal VPN certificates

While it is used mainly by opportunistic attackers and distributed in massive spam campaigns, there are cases where Adwind was used in targeted attacks. In August 2015, Adwind popped up in the news related to cyber-espionage against an Argentinian prosecutor who had been found dead in January 2015.

The incident against the Singaporean bank was another example of a targeted attack. A deeper look into events related to the usage of the Adwind RAT showed that these targeted attacks were not the only ones.

Business History Videos

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more