One of the most popular and widely distributed Remote Access Trojans, the Adwind RAT, has been once again rebranded and it is currently going by the name of JBifrost.
Adwind`s very first appearance was way back in January 2012 under the name Frutas RAT. Exactly one year later happened it`s first name change – to Adwind RAT. Every time when the RAT`s distribution campaigns were disclosed over the years, the authors renamed it again and again. In February 2014 Adwind was rebranded to Unrecom RAT. Eight months later, in October, Unrecom RAT became AlienSpy and in June 2015, it was JSocket RAT.
However, soon after the Kaspersky Lab published an in-depth report in February this year, JSocket`s operations were terminated and it was closed down. And yet, Fortinet researchers say that the crooks behind the RAT took immediate measures and rebranded their product for the fifth time. Only three month after the Kaspersky report, on May 15th, the RAT returned to the malware marked with a new name – the JBifrost RAT.
The Fortinet team is absolutely sure that this is the same RAT, only rebranded, with a new graphical user interface (GUI) and a couple of features different from its previous reincarnation, JSocket.
One of the easily noticeable changes has to do with the JBifrost`s website, which is now a closed community. While before the RAT was available for anyone to buy, this particular JBifrost reincarnation can be purchased only if the user has been given a special invitation code to register on the webpage.
Currently, the JBifrost RAT is being sold as a monthly subscription. The amount needed for the first month is $45 and if the user wants to renew their subscription it cost $40 for each next month.
Another major change involves the payment system the crooks are relying on. In the previous reincarnations of the RAT payment via all CoinPayments, PerfectMoney, Bitcoin, Advcash and EntroMoney were accepted. Now the cybercriminals are being overly precautious and take Bitcoin payments only. This is most likely connected with the other payments not being anonymous which may cause another RAT exposure.
All this only confirms the Kaspersky`s thinking that the cyber gang behind the RAT is genuinely scared of being uncovered again and it is doing its best to stay hidden more than ever.
When it comes to the JBifrost RAT`s features, there are only a couple of new ones which the previous brands didn’t include. For instance, JBifrost now has two new columns, one that shows the title of the victim’s current window and another that shows an infected victim’s keyboard status (in use or not). Moreover, the RAT has a new tab called Misc with which users can configure additional JBifrost servers. And last, but not least, it includes a new feature which allows the hackers to steal data from web forms shown in the Google Chrome browser.
Fortinet reveals that, at this point, the JBifrost RAT has been downloaded 1,566 times from the home site and it has been noticed in live distribution campaigns.
“Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply rebranding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website.” – say Fortinet’s researchers Rommel Joven and Roland Dela Paz note – “As of this writing, we can confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes.”