Java-based trojan has infected close to 450,000 victims since 2013

David bisson
David Bisson

Security researchers have spotted an “unusual” cross-platform Java-based remote access trojan (RAT) that is believed to have infected 443,000 victims between 2013 and 2016.

Alexander Gostev and Vitaly Kamluk, the chief security expert and director of the global research and analysis team at Kaspersky Lab APAC, respectively, explain in a blog post that they recently observed the Adwind RAT up to no good.

“The malware sample we received was sent by email to some banks in Singapore on behalf of a major Malaysian bank. The IP address of the e-mail senders points to a server in Romania while the mail server and account used belong to a company located in Russia.”

Also known as AlienSpy, JSocket, and jRat, the Adwind RAT is commonly sent as the payload of a phishing campaign’s malicious email attachment.

Sign up to our free newsletter.
Security news, advice, and tips.

Malicious email

Once executed, the malware has the ability to collect keystrokes, take screenshots, steal cached passwords, collect user information, and even manage SMS (for Android).

Adwind dates back to at least 2012.

However, it might be best known for making headlines last spring when it was found on the cellphone of Alberto Nisman, an Argentinian prosecutor who died under suspicious circumstances while he was working to implicate the government in the 1994 bombing of a Buenos Aires Jewish community center.

AlienSpy went offline shortly thereafter following a report on the malware by Fidelis Security.

But the RAT’s author simply rebranded the tool as “JSocket” and now sells the service via an open website for $30 a month or $200 for an unlimited use license.

These prices, not to mention the malware’s ease-of-use, has enticed thousands of customers to purchase Adwind.

As a result, 443,000 victims have been infected by the RAT since 2013, with 60 companies in manufacturing, finance, engineering, retail, government, shipping, telecommunications, software, education, food production, healthcare, media, and energy among the top targets.

Adwind rat console

Kaspersky Lab estimates that the malware currently boasts a base of some 1,800 amateur users, the majority of whom live in Nigeria, the United States, Canada, Russia, and Turkey.

As The Inquirer reports, Alexander Gostev believes that Adwind represents a worrying trend:

“The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cyber crime. What we can say based on our investigation of the attack against a Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform’s ‘clients’ have that level of computer education.”

Fortunately, there are many IP addresses and domains that are known to be associated with Adwind.

Organizations can learn more about these indicators of compromise and use them to protect themselves against Adwind-based attacks by referring to the appendix of Kaspersky’s full report on the malware.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.