A
cross-platform remote access Trojan that’s being openly sold as a
service to all types of attackers, from opportunistic cybercriminals to
cyberespionage groups, has been used to attack more than 400,000 systems
over the past three years.
The
RAT (Remote Access Tool/Trojan), which depending on the variant is
known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or JSocket, is
evidence of how successful the malware-as-a-service model can be for
malware creators.
Adwind
is written in Java, so it can run on any OS that has a Java runtime
installed including Windows, Mac OS X, Linux and Android. The Trojan has
been continuously developed since at least 2012 and is being sold out
in the open via a public website.
Like
most Trojans, Adwind can be used to remotely control infected
computers; to steal files, key strokes and saved passwords; to record
audio and video through the computer’s webcam and
microphone and more. Because it has a modular architecture, users can
also install plug-ins that extend its functionality.
The
Adwind author, who researchers from Kaspersky Lab believe to be a
Spanish-speaking individual, is selling access to the RAT on a
subscription-based model, with prices ranging from $25 for 15 days to
$300 a year. The buyers get technical support, obfuscation services to
evade antivirus detection, virtual private network accounts and free
scans with multiple antivirus engines to ensure that their sample is not
detected when deployed.
Kaspersky
Lab estimates that since 2013, attackers have attempted to infect over
440,000 systems with various versions of Adwind. Between August and
January alone, attackers used the RAT in around 200 spear-phishing
campaigns that have reached over 68,000 users.
The latest incarnation of Adwind was launched in June 2015 under the name JSocket and is still being sold.
“In
2015, Russia was the most attacked country, with UAE and Turkey again
near the top, along with the USA, Turkey and Germany,” the Kaspersky
researchers said in a blog post.
They
estimated that by the end of 2015 there were around 1,800
Adwind/JSocket users, putting the developer’s annual revenue at over
$200,000. The large number of users makes it hard to build an attacker
profile. The RAT could be used by anyone from low-level scammers to
cyberspies and private individuals looking to monitor their partners or
spouses.
In
December, researchers working with the Citizen Lab at the University of
Toronto’s Munk School of Global Affairs documented the activities of a
group of attackers that targeted politicians, journalists and public
figures from several South American countries. An earlier version of
Adwind, called AlienSpy, was listed as one of the malware tools used by
the group.
Kaspersky
Lab itself started a detailed investigation into Adwind after a
financial institution in Singapore received the RAT via rogue emails
that were purporting to come from a major Malaysian bank. This was part
of a targeted attack that the company believes was launched by a suspect
of Nigerian origin who focuses on financial institutions.
“Despite
several attempts to take down and stop the Adwind developers from
distributing the malware, Adwind has survived for years and has been
through rebranding and operational expansion that ranged from the
provision of additional plugins for the malware to its own obfuscation
tool and a even a warranty for FUD (fully undetected malware) to
customers,” the Kaspersky researchers said in a research paper.
Since
Adwind is written in Java, it is distributed as a JAR (Java Archive)
file and needs the Java Runtime Environment (JRE) to run. One possible
method to prevent its installation is to change the default application
for handling JAR files to something like Notepad. This will prevent the
code’s execution and will just result in a notepad window with gibberish
text in it.
Of
course, if JRE is not needed by other applications installed on a
computer or by websites visited by its users, then it should be removed.
Unfortunately that’s not possible in most business environments, as
Java is still a major programming language for business applications.
Blogger Comment