The pandemic has driven businesses around the world to move their operations digitally in order to survive in the current scenario. Hence, this period has been the best for cybercriminals to prey on their victims.
After the Maze ransomware, the digital world is now seeing the resurgence of one of its old foes – The Adwind Remote Access Trojan.
Known for targeting login credentials and other data, the Adwind JRat is a remote access Trojan that is adopting newer tactics as its operator aims to conceal its malicious activity. While evading defensive security tools, its actors exploit common java functionality in order to steal information. In early 2012, a developer started selling the first of the Adwind family, Java-based remote access tools (RATs), called “Frutas.” In the following years, it has been rebranded several times. Its other names have included Adwind, UnReCoM, Alien Spy, JSocket, JBifrost, UnknownRat, and JConnectPro. It is capable of stealing credentials, system information and cryptographic keys as well as taking screenshots, keylogging and even transferring files. In order to target a wide range of platforms including Windows, Linux, and mac os, this JRat typically uses phishing emails, infected software or malicious websites. Its latest variant targets windows based machines and mobile applications on the google playstore and has been targeting financial institutions where login credentials are valuable.
Concealed in a link inside a phishing email, the malware arrives in a .jar format with malware hidden under layers of obfuscation or is downloaded from a legitimate site that is serving some sort of an unsecured third-party content. The initial .jar file decrypts and prompts a set of processes that ends with initializing the RAT with a command and control (C2) sever. To access the list of C2 server IP addresses Adwind then decrypts a certain file. Then it chooses another file, and an encrypted request is made via the TCP port 80 to load another set of .jar files. This procedure then activates the JRat and it can send C2 requests to access and send credentials from the browser to a remote server. These credentials can be from a banking app or any social media profile as well.
Staying invisible to the eyesight
This variant of Adwind largely remains undetected since it acts like any other Java command. Java commands flow in and out of the enterprise network in millions and threat intelligence has little information on how to detect the initial .jar payload. On the surface it stays normal and there is nothing suspicious about its existence.
How can we protect ourselves?
Our security experts suggest reviewing the purpose of using a java platform and to disable it for all unauthorized sources. And to be on a safer side, use an advanced anti-malware solution from the eScan cybersecurity solutions family. Pay attention to your cybersecurity awareness to detect phishing emails before they do any kind of damage.
To read more, please check eScan Blog
