Kaspersky Lab has detected a massive new hit by the Adwind Remote Access Tool (RAT). This multifunctional backdoor has been used in attacks against more than 1,500 organizations in over 100 countries and territories including the Philippines.
The attacks have impacted various industrial sectors, including retail and distribution (20.1%), architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%) and consulting (5%).
Adwind’s victims receive e-mails sent in the name of the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), with payment advice in the attachment. According to Kaspersky Lab research, the activity of this email domain can be tracked back to 2013.
Instead of instructions, the attachments contain the malware sample. If the targeted user opens the attached ZIP file, which has a JAR file in it, the malware self-installs and attempts to communicate with its command and control server.
The malware allows the attacker to gain almost complete control over the compromised device and steal confidential information from the infected computer.
The geographical distribution of attacked users registered by the Kaspersky Security Network (KSN) during this period shows that almost half of them (more than 40%) were living in the following ten countries:
According to Kaspersky Lab researchers, since the victims include a high proportion of businesses, criminals could use industry-specific mailing list to target their attacks. Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology.
History of the Adwind RAT malware
In 2016, Kaspersky lab reported attacks made with the Adwind Remote Access Tool (RAT), a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, which is distributed through a single malware-as-a-service platform.
One of the main features that distinguishes the Adwind RAT from other commercial malware is that it is distributed openly in the form of a paid service, where the “customer” pays a fee to use the malicious program.
According to the results of the investigation, which was conducted between 2013 and 2016, different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world.
In order to protect yourself and your organization against this threat, Kaspersky Lab encourages enterprises to limit the use of Java to isolated applications that are impossible to run without the use of this platform.
In a similar way to financial operations, Java applications can be isolated with maximum security principles applied to them.
Kaspersky Lab’s solutions offer a wide variety of Application Control features to set the granular policy, and monitor and control the use of specific applications on corporate endpoints.
For a full overview of financial threats and their evolution during the last year, please read our report “Financial Cyberthreats in 2016”.