A new campaign of Adwin is extremely widespread

Feb 24, 2017 13:22 GMT  ·  By

Adwind Remote Access Tool is being put to use again in an attack against over 1,500 organizations in 100 countries and territories.

According to Kaspersky Lab, the attacks impact various industrial sectors, retail and distribution accounting for 20% of the organizations affected. Organizations working in the architecture and construction sector account for 9.5% of attacks, shipping and logistics for 5.5%, insurance and legal services, as well as consulting, for 5% each.

It seems that victims of Adwind receive emails that are spoofed to look like they come from HSBC Advising Service, using mail.hsbcnet.hsbc.com as a domain. The message contains payment advice in an attachment, which turns out to contain a malware sample instead.

The ZIP files, if opened, reveal a JAR file. The malware quickly self-installs and attempts to communicate to the C&C server, allowing attackers to gain almost complete control over the compromised device. Mostly, they use this backdoor to steal confidential information.

Attack goes global

Kaspersky's data shows that about 40% of all attacks target organizations in the following ten countries - Malaysia, the United Kingdom, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico, and the Russian Federation.

"According to Kaspersky Lab researchers, since the victims include a high proportion of businesses, criminals could use industry-specific mailing list to target their attacks. Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology," the announcement reads.

The Adwind Remote Access Tool (RAT) is a cross-platform multifunctional malware program that's also known under several other names, including AlienSpy, Frutas, Unrecom, Sockrat, JScoket, and jRat. The malicious program is used commercially, meaning that attackers have to pay to distribute their malware.

Between 2013 and 2016, Kaspersky estimates that Adwind malware has been used in attacks against at least 443,000 private users around the world.