Adwind, a Remote Access Trojan (RAT) previously connected to attacks against industries worldwide, is back with a new toolkit designed to trick antivirus programs into allowing the malware to exploit systems.
On Monday, cybersecurity researchers from Cisco Talos, together with intelligence partner ReversingLabs, released the results of an investigation into the Adwind Trojan's latest campaign.
Also known as AlienSpy, JSocket, and jRat, the Trojan is a malware variant that contains a wide variety of 'skills.'
Not only is the RAT able to collect PC information and keystrokes, as well as steal credentials and data submitted via web forms, the malware is also able to record video, sound, and take screenshots. The Trojan is also able to tamper with system files and transfer content without user consent.
More recent variants of the Trojan have been upgraded to consider the lucrative field of cryptocurrency, and Adwind can now also attempt to steal the cryptographic keys required to access cryptocurrency wallets on infected systems.
The Trojan infects PCs after being sent as a malicious payload via phishing campaigns. Crafted emails contain malicious JAR files which, once executed, connect to the RAT's command-and-control (C2) server to download additional payloads and transfer stolen data.
The malware has previously been connected to at least 400,000 attacks against businesses in finance, manufacturing, shipping, and the telecoms industry, among others.
The Trojan has been detected in countries including Turkey, the US, India, Vietnam, and Hong Kong.
The multi-functional Trojan is also a known offering on malware-as-a-service (MaaS) platforms and can be used by threat actors willing to pay a subscription.
A new spam campaign emerged in August which is spreading Adwind 3.0, one of the latest detected variants of the Trojan. The campaign targets Windows, Linux, and Mac machines with a particular focus on victims in Turkey and Germany.
What makes the new scheme interesting, however, is the inclusion of a Dynamic Data Exchange (DDE) code injection attack which aims to compromise Microsoft Excel and circumvent signature-based antivirus solutions.
The phishing campaign sends malicious messages containing a .CSV or .XLT attachment -- both of which are opened by Excel as default.
The malicious files contain one of two droppers, both of which leverage the DDE injection. The dropper file may also use a variety of extensions, including .htm, .xlt, .xlc, and .db.
"Not all of the extensions will be opened by Microsoft Excel by default," Talos says. "However for the non-default extensions a script starting Excel with a file with one of these extensions as a parameter is still a viable attack scenario."
Cisco Talos says the new technique has been implemented in the name of obfuscation. The beginning of the file contains no header to be checked -- which may, in turn, confuse antivirus software which expects ASCII characters to be present in the CSV format, for example.
Instead of detecting the file as a dropper, signature-based antivirus software may simply consider the file corrupted. Talos says that Microsoft Excel does detect the opened file as fake, but the user is still able to open the "corrupt" file if they wish.
There are three warnings in total issued by Microsoft. Should the user persist, the dropper and DDE injection script execute.
The code will then create a Visual Basic script which utilizes bitasdmin. The bitasdmin tool, developed by Microsoft as legitimate software, is a command-line tool for creating, downloading, or uploading jobs and monitoring their progress.
Bitasdmin is abused in order to download the final payload, a Java archive file which contains a commercial packer called Allatori Obfuscator. This packed file then decompresses to deploy the full Adwind RAT.
While this kind of injection attack is not new, the researchers say that "this actor found a way to modify it in order to have an extremely low detection ratio."
"Although both the generic method and the payload are known, this campaign show[s] how some variance into well-known artifacts can trick antivirus [software]," Cisco Talos says. "Their behavior, however, is clearly classical, which means that sandboxing and behavior-based solutions aligned with intent based networks should be able to detect and stop these threats without problems."
In August, researchers from IBM X-Force uncovered an acceleration in the activities of BackSwap, a financial Trojan which specializes in attacks against banks and other financial institutions.
While the Trojan had previously only been detected in cyberattacks levied against banks in Poland, the malware has now spread and crossed Spanish borders.