Adwind Spyware-as-a-Service Utility Grid Operators Attacks
A phishing campaign for grid operators uses a PDF attachment to offer spyware.
A campaign aimed at a domestic grid infrastructure that spoofs a PDF attachment to deliver Adwind spyware.
Adwind, a.k.a. JRAT or SockRat, is used in this campaign in a malware-as – a-service model, researchers said. It offers a full set of info-gathering features including screenshots, Chrome, IE and Microsoft Edge harvesting credentials, video and audio recording, photo-taking, stealing files, keylogging, reading emails and stealing VPN certificates.
“Critical infrastructure facilities are high-risk targets, and the fact that Adwind is available as a paid service is very concerning,” Bob Noel, vice president of strategic relationships for Plixer, told Threatpost. “Anyone willing to pay can target utilities, and when successful, they have the ability to collect keystrokes, steal passwords, grab screenshots, take pictures from the web camera, record sound, etc. If infected end users have access to critical system information, it could be stolen and used in an attempt to attack the facility.”
According to the Cofense researcher Milo Salvia, the phishing e-mail was sent from a hijacked account at Friary Shoes. It simply says,’ A copy of our forwarding notification attached, which you must sign and return,’ with a built-in button that is intended to point to a PDF file.
However, when a victim clicks the button, they are sent back to a malicious web address; in an analysis on Monday Salvia wrote that cyber criminals abuse the Fletcher Specs domain in order to host the malware. Once the victim arrives on the target machine, a payload is automatically downloaded.
The initial payload campaign has a fake PDF file extension to obscure it’s actually a.JAR file. It creates two Java.exe processes in the background, which load two separate Adwind files. According to Salvia, it beacons to its command-and-control (C2) server.
And the researcher has written that he tries to remain hidden from another executable file called takskill.exe which looks for popular antivirus and malware analysis tools and then disables them.
Adwind has made it a hallmark to bypass and disable security tools. A new variant emerged last year, which used a new technology for the injection of Dynamic Data Exchange (DDE) code for anti-virus evasion.
“Tricking end users into clicking on malicious links or attachments continues to be the most successful means for bad actors to gain access,” said Noel. “As is true in the case of the Adwind remote access trojan, once malware lands on a device, it often has the ability to disable antivirus and other types of endpoint detection agents loaded on the device.”