Cybersecurity alert on Adwind threat

Cybersecurity specialist Kaspersky Lab, which is warning banks of renewed activity by the so-called Carbanak cybergang, reports that it also has evidence of a malware-as-a-service platform which has hit more than 400,000 users and organisations worldwide.

The Russian security company has named the remote access trojan (RAT) ‘Adwind’, but it is also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat. Among the main features distinguishing the Adwind platform from other commercial malware is that it is distributed openly in the form of a paid service, where the “customer” pays a fee in return for use of the malicious programme.

Kaspersky Lab researchers estimate that there were around 1,800 users in the system by the end of 2015, making it one of the biggest malware platforms currently in existence.

The research suggests that clients of the Adwind platform fall into the following categories:
• Scammers seeking to move to the next level, using malware for more advanced fraud,
• Unfair competitors.
• Cyber-mercenaries, or ‘spies for hire’.
• Private individuals who wish to spy on people they know.

Kaspersky Lab believes that since it began its investigation in 2013, different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organisations worldwide and that both the platform and the malware are still active.

At the end of last year, its researchers became aware of an unusual malware programme discovered during an attempted targeted attack against a bank in Singapore. A malicious Java Archive (JAR) file was attached to a spear-phishing email received by a targeted bank employee. The malware showed rich capabilities, including its ability to run on multiple platforms as well as the fact that it was not detected by any antivirus solution.

Investigation showed that the organisation had been attacked with the Adwind RAT, a backdoor available for purchase and written entirely in Java; making it cross-platform. It can run on Windows, OS X, Linux and Android platforms providing capabilities for remote desktop control, data gathering and data exfiltration.

The researchers also analysed nearly 200 examples of spear-phishing attacks launched by unknown criminals to spread the Adwind malware, and found that the targets were across a wide range of organisations and industry sectors.

“The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cybercrime,” said Aleksandr Gostev, chief security expert at Kaspersky Lab.

“What we can say based on our investigation of the attack against the Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform’s “clients” have that level of computer education. That is a worrisome trend.”

“Despite multiple reports about different generations of this tool, published by security vendors in recent years, the platform is still active and inhabited with criminals of all kinds,” added Vitaly Kamluk, director of global research and analysis team in Asia Pacific.

“We’ve conducted this research in order to attract the attention of the security community and law enforcement agencies and to make the necessary steps in order to disrupt it completely.”

Kaspersky Lab said that it has reported its findings on the Adwind platform to law enforcement agencies. It is also recommending that all enterprises review the purpose of using a Java platform and to disable it for all unauthorised sources.


Related reading