New Adwind RAT Campaign Having Zero AV Detection Attacks Businesses in Denmark
This weekend, security researchers revealed re-appearance of the Adwind Remote Access Trojan (RAT) in spam emails having the spyware, as a part of a campaign targeting companies based in Denmark. According to Heimdal Security, a Romanian firm, malicious emails which target speakers of English-language, were untraceable by the antivirus scans.
Andra Zaharia of Heimdal Security wrote on a blog post of company on Monday, stating that - Adwind is in particular an insidious danger because of its cross-platform, and as it can perform broad variety of functions. Successful infections of Adwind gave the online criminals backdoor to PCs running on the Windows, Linux, Android, and even OS X.
Andra Zaharia, Heimdal security specialist explained it in the analysis that "the RAT was last seen a few months ago, after having been apparently taken down in 2015". It infected nearly half million citizens and organizations around the world. Now it appeared again, which proves that cyber-criminals have not given up on using it.
Infosecurity-magazine.com posted on July 5th, 2016, stating that Adwind is based on Java malware, and is frequently get associated with the APT campaigns. As per Heimdal it is "cross-platform, multifunctional and plain destructive".
The Adwind Remote Access Trojan then open backdoor on the infected systems and permit the crooks to control devices, look for sensitive data, and then finally exfiltrate it through different channels.
All the computers are further added to the global botnet, which operators of the malware may have used for sending the spam or launching the DDoS attacks, if they wished. The team of Heimdal discovered more than eleven servers of C&C used in the latest campaign.
She says that "the campaign is ongoing at the moment, so we recommend companies focus their resources on proactive security measures". As usual, education of employees is vital from our viewpoint, she further added.
Zaharia further says that "the Adwind version spotted in these attacks is a slightly modified one as compared to previous variants of this RAT". It contains sandbox evasion as well as different anti-debugger checks. Hence, it is totally a new version by all its appearances, but it does not have a distinctive name yet, referring to several names used by Adwind RAT during past years.
As far as protection process is concerned, admins should build data security in layers and guide employees on how to recognize malicious mail. Unsolicited mails spread Adwind with the subject line "Quotation request".
» SPAMfighter News - 7/11/2016