Adwind Trojan Circumvents Antivirus Software To Infect Your PC
(Sep 24, 2018)
Unknown threat actors have been observed conducting a spear phishing campaign that targets various industries such as finance, manufacturing, shipping, telecoms, and others targeted upon machines in Germany and Turkey in an effort to infect the targets with a Remote Access Trojan (RAT), “Adwind.” MacOS, Windows and Linux operating systems are all vulnerable to this particular jRAT. This specific malware is observed to log keystrokes, steal credentials, tamper with system files as all RATs do, but also steals cryptographic keys to access cryptocurrency wallets on infected systems. This jRAT is spread via spear phishing emails that contain a .csv or .xlt file attachment with a so-called Dynamic Data Exchange (DDE) code injection that intends to compromise Microsoft Excel and circumvent signature-based antivirus protections. The threat actor behind the attack modified the RAT to have a low-detection rate.
Recommendation: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security and password lists available on underground forums. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. Symantec also recommends encrypting any sensitive data at rest and in transit to mitigate damage of potential breaches. In the case of a jRat infection, the affected system must be wiped and reformatted. Incident response should begin with identifying the infection vector, and all other users who received the email should be checked for similar infection.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.