Adwind RAT: An insight into the Remote Access Trojan’s malicious activities

• Adwind RAT is capable of stealing system information, cryptographic keys, and VPN credentials.
• It is also capable of keylogging, taking screenshots, recording video from a web camera, and recording audio from a microphone.

Adwind RAT, also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRAT, is a remote access trojan that was first spotted in 2012 as Frutas. Kaspersky has tracked more than 150 attack campaigns against more than 60,000 targets from 2013 till early 2016.

What are the capabilities of Adwind?

The remote access trojan’s capabilities include:

• Stealing system information, cryptographic keys, and credentials
• Moving laterally in the network
• Keylogging
• Taking screenshots, recording video from a web camera, and recording audio from a microphone
• Transfer files and managing SMS on Android devices

AlienSpy distributed via phishing campaigns

In April 2015, AlienSpy aka Adwind trojan targeted entities in the financial, telecom, and government sector via phishing campaigns. The phishing emails included malicious attachments disguised as financial documents such as invoices, remittances, or orders. These malicious attachments distributed the AlienSpy trojan on victims’ computers.

This trojan runs on multiple platforms including Windows, Mac OS, Linux, and Android.

Adwind sold as RAT-as-a-Service

JSocket, also known as AlienSpy and Adwind RAT was sold as ‘RAT-as-a-Service’. The RAT was sold at a price ranging from $30 for one month to $200 for an unlimited license. This RAT is capable of detecting and evading antivirus software on a system, keylogging, and stealing VPN credentials.

Adwind infects 1500 organizations

According to Kaspersky, Adwind RAT has infected almost 1,500 organizations from 100 countries. Adwind RAT attack has impacted 20% of the organizations in the industrial sectors, followed by the architecture and construction sector (9.5%), shipping and logistics (5.5%), and insurance and legal service (5%).

Adwind RAT targets the aerospace industry

In July 2017, Adwind RAT targeted enterprises in the aerospace industry via a spam campaign. Countries including Switzerland, Ukraine, Austria, and the US were the most affected countries.

The spam campaign was deployed in two waves, first wave on June 7, 2017, and the second wave on June 14, 2017. Both waves employed a similar social engineering tactic to lure victims into clicking the malicious URLs.

Autodesk A360 abused to deliver Adwind RAT

Cloud-based storage platform Autodesk A360 was abused to deliver three remote access trojans including Adwind RAT, Remcos RAT, and Netwire RAT.

Phishing campaigns distributing Adwind RAT

• In October 2017, a phishing campaign that included attachments disguised as IRS tax documents distributed jRAT aka Adwind RAT.
• In February 2018, phishing emails disguised as SWIFT communications distributed Adwind RAT.
• In April 2018, a phishing spam campaign distributed Adwind-XRAT-LokiBot bundles and Adwind-DUNIHI backdoor bundles.
• Symantec warned about the spike in spam emails distributing Adwind RAT, with 1.55 million spam emails being sent in October 2017 and another 1.3 million emails sent in November 2017.

Adwind 3.0

In September 2018, researchers spotted a new spam campaign distributing a new version of Adwind 3.0. This new version targets Windows, Linux, and Mac OSX users with the ability to bypass antivirus software. Researchers determined that a majority of the victims of the new campaign were located in Turkey.

Adwind relies on Houdini

Researchers observed that Adwind RAT relies on another remote access trojan called Houdini to infect systems. They also noted that Adwind RAT contained various payloads for deployment.