Security researchers from Heimdal Security have noticed a new spam campaign delivering attachments laced with Adwind RAT (Remote Access Trojan).
Adwind RAT is a cross-platform malware which is highly prefered by cyber criminals as it can perform a wide range of malicious functions, including the set up of a backdoor into the victim’s computer.
Despite the fact that Heimdal Security claims the spam campaign was launched during the weekend and it only targeted Danish businesses, the experts think it could soon target other countries.
Heimdal Security researchers reported that the malicious emails came with a file attachment named Doc-[Number].jar, and according to the online antivirus scanning service Virus Total, no antivirus engine was able to detect Adwind RAT so far.
Adwind RAT was first registered in 2012. At that time, the experts called it Frutas RAT, and later it was identified with other names, such as Unrecom RAT (February 2014), AlienSpy (October 2014), and Jsocket RAT (June 2015).
“The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies.” states a post published by Heimdal Security.
“A zero percent detection rate associated with these attacks in bound to make potential targets anxious about the effectiveness of their current defenses.”
According to the security experts, once the Adwind RAT infect a machine it is recruited into a botnet which is controlled by the server jmcoru.alcatelupd [.] Xyz that was also used in other RAT campaigns.
The researchers pointed out that the Adwind RAT could represent a valid hacking tool in targeted attacks. Besides, it allows APT groups to exfiltrate data and remotely control the infected machine by using a small and agile infrastructure.
“Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike.” Heimdal Security claims.
“Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them.”
In February, this year, the Kaspersky Lab security experts have noticed a new variant of the malware that has been modified and offered as a service in the criminal underground. The experts observed more than 150 attack campaigns relying on the new variant of AlienSpy, bad actors in the wild targeted more than 60,000 individuals. The analysis of subscribers to the malware-as-a-service shows that the majority of clients come from the US, Canada, Russia, and Turkey.