Experts from ReversingLabs and Cisco Talos have registered a new Adwind campaign aimed at Windows, Linux, and macOS systems.
The samples used in the recent spam campaign are Adwind 3.0 Trojan (RAT), leveraging the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.
According to the security researchers, the hackers mainly targeted users in Turkey (75%), and their other victims were members of the Turkish community situated in Germany.
All the malicious documents used in the Adwind campaign were written in Turkish.
“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” the analysis by Cisco Talos states.
The researchers registered at least two different droppers in the campaign using both – the .csv or .xlt files, opened by default by Microsoft Excel. The two files would leverage a new variant of the DDE code injection attack which is still undetected.
The dropper file can have more than 30 different file extensions, though some of them are not opened by Excel by default. Nevertheless, the hackers can use a script launching Excel with a file with one of these extensions as a parameter.
“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” the report reads.
Excel will display differed warnings to the user regarding the execution of code. The first warning is related to the execution of a corrupted file, and the second – notifies the user that the document will execute the application “CMD.exe.” As soon as the user accepts all the warnings, the malicious application is executed on the system.
According to Talos, the cyber criminals aim at injecting code that would create and execute a Visual Basic Script that uses the “bitasdmin” Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.
The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7, and the final payload is a sample the Adwind RAT v3.0.
“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.”
“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio.” Talos says.
