It turns out that Adwind RAT, know as a cross-platform and multifunctional malware program distributed via a single malware-as-a-service platform, have been used in attacks against nearly 443,000 private users, commercial and non-commercial organizations worldwide.
A reserach by Kaspersky Lab showed that the main difference between Adwind RAT and the other commercial malware is the fact that Adwind RAT is distributed openly in the form of a paid service, where the “customer” pays a fee in return for use of the malicious program.
Last year, the researchers of Kaspersky Lab came uopn the other names of Adwind (AlienSpy, Frutas, Jsocket, Unrecom, Sockrat and jRat) during an attempted targeted attack against a bank in Singapore. Apparently, the organization had been attacked with the Adwind RAT, a backdoor available for purchase and written entirely in Java, which makes it cross-platform. It runs on Windows, OS X, Linux and Android platforms providing capabilities for remote desktop control, data gathering, data exfiltration etc.
“A malicious JAR file was attached to a spear-phishing email received by a targeted employee at the bank,” stated Kaspersky. “The malware’s rich capabilities, including its ability to run on multiple platforms as well as the fact that it was not detected by any antivirus solution, immediately captured the attention of the researchers.”
Some of the malware’s functions are the ability to collect keystrokes, steal cached passwords and grab data from web forms, take pictures and record video from the webcam, take screenshots, record sound from the microphone, transfer files, collect general system and user information, steal keys for cryptocurrency wallets, manage SMS (for Android) and steal VPN certificates.
Usually, Adwind is used by opportunistic attackers and distributed in massive spam campaigns, although there are some cases where Adwind was used in targeted attacks. Last year, Adwind popped up in the news related to cyber-espionage against an Argentinian prosecutor who had been found dead in January 2015. The incident against the Singaporean bank was another example of a targeted attack. According to the malware specialists, these targeted attacks were not the only ones.
The Kaspersky Lab researchers analyzed nearly 200 examples of spear-phishing attacks organized by unknown criminals to spread the Adwind malware. The examples of the attacks observed in the six months between August 2015 and January 2016 resulted in Adwind RAT malware samples being encountered by more than 68,000 users.
Regarding the geographical distribution of the attacked users, 49% were living in the following countries: United Arab Emirates, Germany, India, the US, Italy, Russia, Vietnam, Hong Kong, Turkey and Taiwan.
According to a research of users’ activity on the internal message board and some other observations, Kaspersky Lab researchers estimate that there were around 1,800 users in the malware-as-a-service system by the end of 2015. This makes it one of the biggest malware platforms in existence today.
“Based on the profiles of identified targets, Kaspersky Lab researchers believe that the clients of the Adwind platform fall into the following categories: scammers that want to move to the next level (using malware for more advanced fraud), unfair competitors, cyber-mercenaries (spies for hire), and private individuals that want to spy on people they know,” they stated.