14 DAY TRIAL // Danish cyber-security firm Heimdal Security has detected a wave of spam emails delivering malicious attachments laced with versions of the Adwind RAT (Remote Access Trojan).
The campaign took place over the weekend, and according to Heimdal Security experts, it only targeted Danish companies.
Regardless of its initial scope, all spam emails were written in English, so an expansion to other countries may not take more than the push of a button somewhere in the crook's control panel.
Infection occurred via a Java file attachment
Heimdal says the spam emails came with a file attachment named Doc-[Number].jar. A quick scan on VirusTotal reveals that no antivirus engines were able to detect the file as malicious, even if it was hiding the Adwind RAT, a four-year-old malware family.
Adwind first appeared on the market bearing the name of Frutas RAT (January 2012) and rebranded several times as Unrecom RAT (February 2014), AlienSpy (October 2014), and most recently JSocket RAT (June 2015). The majority of security firms still call it Adwind, the name under which it made the most casualties.
A Kaspersky report released in February 2016, after authorities managed to shut down the crook's operation, revealed that the group behind this malware sold their toolkit to 1,800 other criminals, who then infected over 443,000 victims.
Crooks were after sensitive business information
Crooks were delivering their malware in order to infect computers belonging to Danish companies.
The Adwind RAT would then open a backdoor on these infected systems and allow the crooks to take over devices, search for sensitive information and then exfiltrate it via various channels.
All computers were also added to a global botnet, which the malware's operator could have used to send spam or launch DDoS attacks if they wanted. Heimdal's team detected over eleven C&C servers used in this latest campaign.
"Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike," Heimdal's Andra Zaharia explains.
"Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them."
Campaign still active, new Adwind RAT version spotted
"All the domains in the alert are still active, as they are the newest ones involved in the attacks," Zaharia tells Softpedia. "The malicious C&C servers using various dynamic DNS service providers are currently being documented to be reported to all concerned parties."
"The campaign is ongoing at the moment, so we recommend companies focus their resources on proactive security measures. As always, employee education is crucial, from our perspective," she adds.
"The Adwind version spotted in these attacks is a slightly modified one as compared to previous variants of this RAT," Zaharia also says. "It features sandbox evasion and various anti-debugger checks. So, by all appearances, it is a new version, but it doesn't have a distinctive name yet," referring to the multiple names the Adwind RAT had used in the past years.
UPDATE [July 5, 2016]: Added further comments regarding the attack from Mrs. Zaharia.