A form of trojan malware which has been used by cyber criminals to steal login credentials and other information from victims for over five years has been updated with the ability to hide in plain sight by using legitimate Java commands to mask its malicious behaviour.
The Adwind remote access trojan (RAT) – also known as AlienSpy and jRAT – first emerged in 2013 and is available ‘as-a-service’ to criminals who want to use its credential, keylogging, audio recording and other trojan malware capabilities against victims.
The malware can target users of several major operating systems and typically infects victims via phishing emails, compromised software downloads or malicious websites.
Now a new variant of the malware has emerged which appears to specifically target Windows and common Windows applications including Internet Explorer and Outlook, along with Chromium-based browsers including Brave – which was only released this year.
Detailed by researchers at Menlo Security, the latest incarnation of Adwind is delivered by a JAR (Java Archive) file, with its malicious intent obfuscated behind several layers of packaging and encryption in order to make signature-based detection ineffective.
Once the malware has unpacked a list of command and control server addresses, Adwind is activated and is able to receive instructions and send stolen information back to the hosts – including bank credentials, business application logins and any passwords saved in a browser.
This latest version of Adwind also masks its behaviour while doing this by acting like any other Java command, allowing the activity to occur while remaining undetected.
The authors do this by hiding malicious JAR files amongst a number of legitimate JAR applications, using encryption to make it hard to detect the initial JAR file and by loading additional JAR files from a remote server. All of this makes it difficult to detect abnormal activity.
“It’s like wading through a crowd of a million people and trying to pick out the one person wearing a green undershirt without being able to look under people’s jackets. There’s nothing suspicious about its existence, its appearance or even its initial behaviour. Everything about it seems normal.” said Krishnan Subramanian, security researcher at Menlo Labs.
However, Adwind does let the mask slip in one way: when it sends stolen credentials to a remote server, it uses commands that are not associated with Java – although by the time the malware is sending information back to the attackers, the damage has already been done.
That means organisations need to have a hand on what’s happening on the network so attacks can be stopped before they do damage – and to be mindful of unexpected files in the system.
“From a detection standpoint, good visibility on web and email traffic is a must. These jRAT filenames seem to have a pattern by using common financial terms like “Remittance”, “Payment”, “Advice,”. It’s always a good idea to check the filename of a Java Application before invoking it,” said Subramanian.
MORE ON CYBERCRIME