Remote access trojans (RATs) are a devious way attackers can burrow into an organization by setting up a backdoor for entry. Infosec pros are now being warned that a RAT called Adwind, which had been seen in the retail and hospitality industry, has been seen in the U.S. petroleum industry.
The alert comes from security vendor Netskope Inc., which said it in recent weeks it found 20 RAT samples of customers hosted on the serving domain and spread across six directories, all hosted within the last month.
“The samples are relatively new and implement multi-layer obfuscation to try to evade detection,” Netskope said in a blog. “It achieves persistence through registry modifications, performs process injection to stay under the radar, terminates security services (e.g., firewall, antivirus), and steals sensitive data.”
The major change in previous versions of Adwind is in the obfuscation technique: Multiple embedded Java Archives (JAR) are used before unpacking the actual payload. Some of the recent uploads have multiple file extensions (*.png.jar.jar) to hide the actual file-type visibility from the target user.
A number of websites hosted by an Australian ISP are being used to spread the JAR. It isn’t clear if the sites are run by an attacker or have been unwittingly compromised. Netskope warned the service provider before publishing its alert, although as of Tuesday some of the sites were still delivering the malware. Still, organizations of all sizes should be watching for signs of infection.
The report doesn’t detail how victims are infected, although one possibility is a staffer clicking on a malicious link in an email. But the process goes like this: The dropped JAR payload executes and creates the parent java process and copies itself into the %User% directory. Once the copy is created, the java thread executes the copy, creates a registry entry to maintain persistence and creates and launches WMI scripts in to disable firewall and antivirus services.
The new JAR dropped in the firs step also performs AES decryption routine on an embedded object to construct the Step 3 JAR, which is written in the %temp% directory and executes it as a new java thread, which loads the JRAT. This has multiple levels of obfuscations within itself in order to hide its features and functionality.
Among other things, it captures webcam images, scans hard-drives for files based on extensions defined in RAT’s config., performs injection into known legitimate windows processes. and encrypts and exfiltrates data.
Adwind works on Windows, Linux and Mac platforms.
(An earlier version of this story mistakenly referred to the malware as Adwin)