Adwind Remote Access Trojan

Adwind Remote Access Trojan (RAT) is being distributed via spam emails. The spam emails were observed to have numerous attachment titles such as “DHL Delivery Notice”, “Proforma Invoice”, “Request for Information”, “Transfer Import” and “Swift Copy” among others. The spam email contains a malicious JAR file attachment.

Adwind RAT has the following functions:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from a webcam
  • record sound from a microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steal Virtual Private Network (VPN) certificates

Indicators of Compromise
Files and URLs related to Adwind/jRAT

  • hxxp://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
  • hxxp://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
  • hxxps://nup[.]pw/e2BXtK[.]exe
  • hxxps://nup[.]pw/Qcaq5e[.]jar

Related Hashes SHA256

  • 3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4 (TROJ_DLOADR.AUSUDT)
  • c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b (JAVA_ADWIND.JEJPCO)
  • 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 (JAVA_ADWIND.AUJC)
  • 705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb (BKDR64_AGENT.TYUCT)

Related C&C servers

  • 174[.]127[.]99[.]234 Port 1033
  • hxxp://vacanzaimmobiliare[.]it/testla/WebPanel/post[.]php




Affected Platforms

  • MacOS
  • Windows
  • Linux
  • Android

Resolution:

To prevent and detect a Trojan infection, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place and password reuse is discouraged.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from infected machines should be reset on a clean computer.





Leave a Reply