Adwind RAT resurfaces again, relies on another malware for infection

• It now comes as a variant that uses different payloads and spreads mainly through JAR files.
• In this camapign, the VBS-based infamous worm Houdini is leveraged to infect computer systems.

Adwind, a well-known multifunctional malware program which made news in late 2017 has sprung back. A report by McAfee Labs indicated that the remote access tool (RAT) now relies on another malware known as Houdini to infect systems. On top of this, the new variant contained various payloads for deployment.

Worth noting

• Adwind mainly targets platforms compatible with Java applications and running the Java Runtime Environment.
• It primarily uses a malicious JAR file as an attachment in spam emails, evident in earlier campaigns.
• Once the JAR file runs in the system, Adwind gets installed and communicates with a remote server to conduct other malicious activities.
• The latest variant collaborates with H-Worm/Houdini VBS-based worm to successfully infect systems.
• A file called operational.Jrat drops the final payload thus completely compromising the system.
• Consequently, another file called Bymqzbfsrg.vbs enables attackers to control the infected machine.

What can the malware do?

Adwind is known to possess many malicious capabilities. This includes collecting keystrokes, stealing passwords and data from web forms, taking screenshots and video from webcams, and lastly transferring files to the remote server.

Adwind has also evolved to steal from cryptocurrency wallets as well as exploit VPN certificates.

In 2017, most campaigns concerning Adwind spam were found to evade detection from antivirus and similar software. This was due to the presence of complex, layered function calls in multiple JAR files.

In earlier campaigns, Adwind relied on different file extensions such as .dll, .bin, and .so. It is estimated that more than a million emails were sent to victims in 2017.