The cross-platform remote access trojan (RAT) Adwind drops a payload onto Mac computers only after users overlook a series of potential red flags.
Malwarebytes researcher Thomas Reed recently analyzed a sample of Adwind that was going undetected after a colleague told him the RAT was allegedly cross-platform.
Reed was doubtful, as he explains in a blog post:
“This is often code for ‘this malware was written in Java,’ which doesn’t necessarily mean that it actually drops a Mac payload. So I was a bit skeptical, and said so. But, hey, new malware to play with… how could I resist taking a peek?”
The researcher had a right to be skeptical. After discovering the malware was written in Java, he came across at least four red flags that could potentially warn users of an infection:
- The malware dropper attempted to mimic a document, but it took .jar as its extension and not something more common like .docx or .pdf.
- Mac systems won’t run the malware without Java, a system which Apple dropped from its computers years ago.
- The malicious file isn’t code-signed, which led GateKeeper by default to prevent the malware from running.
- Even when the file executed, no decoy document or fake app interface appeared. Most users would realize something funny was up.
All of that notwithstanding, the malware had a surprise for Reed. As he notes:
“When I looked to see what file system changes had been made, lo and behold, there was a brand new launch agent, loading an executable found in a brand new hidden folder!
“The launch agent file was named org.yrGfjOQJztZ.plist, and was found in the user LaunchAgents folder. It loaded a Java app named BgHSYtccjkN.ELbrtQ, and found in a hidden folder in the user’s home folder.”
Adwind, otherwise known as AlienSpy, JSocket, and jRat, has been around since at least 2012. Once it infects a user’s computer, it carries out all the normal functions of a RAT, including collecting screen shots, stealing passwords, and managing SMS on Android devices.
The trojan is available for sale on an open website for purchase at US $30 a month and $200 for an unlimited license. As a result, it’s no wonder the malware infected at least 443,000 users between 2013 and 2016.
In July alone, researchers spotted Adwind involved in multiple targeted attack campaigns aimed at Danish companies.
All of that aside, Adwind isn’t the strongest piece of malware when it comes to Mac users because of its red flags. Reed agrees:
“In all, this malware isn’t particularly worrisome. It would take a bit of effort on the part of a Mac user to infect their computer with Adwind in its current form.”
To avoid an infection, users should install an anti-virus solution onto their computers, refer to the red flags explained above, and should exercise digital security common sense, which includes not opening suspicious email attachments.
How does one check for this RAT?
The article says, "The launch agent file was named org.yrGfjOQJztZ.plist, and was found in the user LaunchAgents folder…" So, check your ~/Library/LaunchAgents folder for a file with that name. If it's there, trash that file to keep the executable from running when you start up.
The article also says, "It loaded a Java app named BgHSYtccjkN.ELbrtQ, and found in a hidden folder in the user’s home folder." So, use whatever utility you normally use to show hidden and system files & folders (e.g., TinkerTool). Then inspect your home folder for a hidden folder that contains the Java app with the name shown above. If it's there, trash the folder to get rid of the malware. (Sorry I can't tell you the name of the hidden folder; the article doesn't say what it is.)
Red flag number 2 says:
"Mac systems won't run the malware without Java, a system which Apple dropped from its computers years ago."
It's true that Macs that came with OS X 10.8.3 or above already installed didn't include Java. And all OS X installers since then have excluded Java.
Nevertheless, I suspect that there are many Mac users who have still have Java on their computers, even if they're not using it. I'm currently running Yosemite 10.10.5 on a Mac Pro 6.1, which was upgraded from Mountain Lion 10.8.5 on a Mac Pro 5.1, which in turn was upgraded from Snow Leopard 10.6.8 on a G5, which did include Java. I've kept it updated because I use it.
The point is that the OS X installers for Mountain Lion and Yosemite didn't remove Java from my computer, and anyone else who followed a similar upgrade path is in the same boat. So, the fact that Apple doesn't distribute Java with the OS X installers anymore doesn't mean that users don't have it installed somewhere on their computers.