14 DAY TRIAL // The infamous cross-platform Adwind multifunctional Trojan has been detected in a new spam campaign targeting Windows, Linux, and macOS users.
As reported in a joint analysis by Cisco Talos and ReversingLabs, the new campaign was first detected on September 10, and it uses a Microsoft Excel Dynamic Data Exchange (DDE) code injection attack to infect targets.
Furthermore, after closer examination, the new Adwind remote access tool (RAT) variant (also known as jRat, AlienSpy, and JSocket) is capable of avoiding detection by most major anti-malware solutions, successfully compromising the victim's computer without any alerts.
The Adwind malware is a multifunctional malicious toolkit designed to perform all sorts of tasks for the attacker from stealing sensitive information such as passwords and VPN certificates to collecting and exfiltrating keystrokes.
Moreover, the Adwind multifunctional RAT is also known to be able to record video, sound, and photo using a webcam, to transfer files, as well as mine for cryptocurrency and loot cryptocurrency wallets.
The Adwind cross-platform malware can steal data, record video, and mine cryptocurrency
Adwind has been making the rounds since 2013, with known instances of the RAT attacking more than 400,000 enterprises and individuals all over the world.
The current spam campaign utilizes a Microsoft Office dropper which makes use of a DDE code injection attack to remain undetected.
The dropper is embedded within a malicious e-mail attachment in the form of a CSV or XLT document compatible with Microsoft Excel.
When running the dropper, the victim will receive three warnings, but, if they are ignored, the Adwind Trojan in the form of a Java payload will be downloaded, compromising the host computer and immediately achieving persistence on Windows, macOS or Linux machines.
Even though the innovatively packed new Adwind variant manages to avoid detection by some anti-malware software, behavior- and sandbox-based antivirus solutions should be capable of discovering and block it successfully.
