Security researchers have spotted an “unusual” cross-platform Java-based remote access trojan (RAT) that is believed to have infected 443,000 victims between 2013 and 2016.
Alexander Gostev and Vitaly Kamluk, the chief security expert and director of the global research and analysis team at Kaspersky Lab APAC, respectively, explain in a blog post that they recently observed the Adwind RAT up to no good.
“The malware sample we received was sent by email to some banks in Singapore on behalf of a major Malaysian bank. The IP address of the e-mail senders points to a server in Romania while the mail server and account used belong to a company located in Russia.”
Also known as AlienSpy, JSocket, and jRat, the Adwind RAT is commonly sent as the payload of a phishing campaign’s malicious email attachment.
Once executed, the malware has the ability to collect keystrokes, take screenshots, steal cached passwords, collect user information, and even manage SMS (for Android).
Adwind dates back to at least 2012.
However, it might be best known for making headlines last spring when it was found on the cellphone of Alberto Nisman, an Argentinian prosecutor who died under suspicious circumstances while he was working to implicate the government in the 1994 bombing of a Buenos Aires Jewish community center.
AlienSpy went offline shortly thereafter following a report on the malware by Fidelis Security.
But the RAT’s author simply rebranded the tool as “JSocket” and now sells the service via an open website for $30 a month or $200 for an unlimited use license.
These prices, not to mention the malware’s ease-of-use, has enticed thousands of customers to purchase Adwind.
As a result, 443,000 victims have been infected by the RAT since 2013, with 60 companies in manufacturing, finance, engineering, retail, government, shipping, telecommunications, software, education, food production, healthcare, media, and energy among the top targets.
Kaspersky Lab estimates that the malware currently boasts a base of some 1,800 amateur users, the majority of whom live in Nigeria, the United States, Canada, Russia, and Turkey.
As The Inquirer reports, Alexander Gostev believes that Adwind represents a worrying trend:
“The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cyber crime. What we can say based on our investigation of the attack against a Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform’s ‘clients’ have that level of computer education.”
Fortunately, there are many IP addresses and domains that are known to be associated with Adwind.
Organizations can learn more about these indicators of compromise and use them to protect themselves against Adwind-based attacks by referring to the appendix of Kaspersky’s full report on the malware.