Research

Spam Campaign Distributes AdWind RAT

Spam Campaign Distributes AdWind RAT

Dell SecureWorks Counter Threat Unit™ (CTU) researchers analyzed spam campaigns that distributed the AdWind remote access trojan (RAT). AdWind, also known as Frutas, UNRECOM, AlienSpy, and JSocket, is a Java-based RAT.

It is typically distributed as a .jar (Java archive) attachment via spam emails (see Figure 1) and relies on social engineering to convince a victim to execute the attachment. In some samples analyzed by CTU researchers, the attachment was an obfuscated VBScript (.vbs) file that downloads and installs AdWind, or the email message just included a link to download and install the malware.


Figure 1. Example spam email distributing AdWind. (Source: Dell SecureWorks)

The Java Runtime Environment (JRE) must be installed for the malware to execute. Some AdWind variants download and install the required version of JRE if it is not installed on the victim's system. Because the malware is written in Java, it can run on multiple operating systems such as Windows, Mac OSX, and Linux.

The AdWind RAT .jar file is obfuscated, and its payload and configuration file (which serves as an installation file) are encrypted with the DES, RC4, or RC6 ciphers. The malware attempts to decrypt itself during execution. Once executed, AdWind has the following capabilities:

  • Log keystrokes
  • Access webcam
  • Take screenshots
  • Remotely access the file system (read, write, delete)
  • Remotely access the mouse and keyboard
  • Download and execute other files from a remote server

CTU researchers observed AdWind creating and operating from a directory structure under the victim's home directory that uses random alphanumeric characters for the directory name and filename, and includes a random file extension for the file (e.g., C:\Users\<user>\NbZNzkmlJBe\CSBIZZZtmAS.aeYHig). It may also drop a text file such as C:\Users\<user>\NbZNzkmlJBe\ID.txt.

The malware changes the folder and file attributes to system, hidden, and read-only using the attrib command:

attrib +s +h +r "C:\Users\<user>\NbZNzkmlJBe\*.*"
attrib +s +h +r "C:\Users\<user>\NbZNzkmlJBe"

AdWind copies the related Java Runtime files to a temporary directory within the victim's home directory using the xcopy command:

xcopy "C:\Program Files\Java\jre7" "C:\Users\<user>\AppData\Roaming\Oracle\" /e

It then adds its file path to the HKCU Run registry key for persistence using the reg command:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run
/v RgnxMoHuBRi /t REG_EXPAND_SZ /d 
"\"C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe\"
 -jar \"C:\Users\<user>\NbZNzkmlJBe\CSBIZZZtmAS.aeYHig\"" /f

The command generates the following registry entry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RgnxMoHuBRi
Data: "C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\<user>\NbZNzkmlJBe\CSBIZZZtmAS.aeYHig"

The AdWind RAT is then launched using javaw.exe so that there is no associated console window:

C:\Users\<user>\AppData\Roaming\Oracle\bin\javaw.exe -jar
C:\Users\<user>\NbZNzkmlJBe\CSBIZZZtmAS.aeYHig

AdWind communicates with its command and control (C2) server over SSL on non-standard ports with self-signed certificates. It can also be built with a kit and can be configured to access any URL.

Figure 2 shows an example AdWind RAT .jar file when viewed with a Java Decompiler application. The decrypted data file in this path structure reveals the configuration information:

"WvB/JYXJPW/hSSimiMZ/SNUn/lsJ/eXCa/
LfKgRy4ws/PbMPKS/GyVeo/YNut/kYSS/XzhhPjlv/mBuvWlLy/cbCRMY/mTHOtTX/CzU/MVPV.YWiHD"


Figure 2. AdWind RAT .jar file viewed with a Java Decompiler application. (Source: Dell SecureWorks)

Figure 3 shows other examples.


Figure 3. Other AdWind RAT .jar examples viewed with a Java Decompiler application. (Source: Dell SecureWorks)

The config.xml configuration file shown in Figure 3 is encrypted. When decrypted, the file reveals the folder name that will be created under the victim's home directory (Install Folder), the filename for the copy of AdWind RAT in that directory (Jar Name), the registry information to add to the HKCU Run key (Reg Key and Reg Value), the server that will be contacted (Domain), and the port numbers to communicate with the remote attacker (Port1 and Port2):

Campaign ID : 1312201510
Domain : edebiyazarlar.com
Install Flag : true
Install Folder : Rii
Jar Name : Toj
Password : 2917d242147c5461835d961c57b1dfc29f5c18a3
Port1 : 1991
Port2 : 1992
Reg Key : 6P1zMW4coqEf7XbrzY2awZ3R
Reg Value : Gyw
Version : Adwind RAT v1.0

In the spam samples that include obfuscated .vbs attachments, the attachment downloads and installs AdWind if allowed to execute on a Windows system. Figure 4 shows a sanitized version of one of these scripts. The "VCMzGlxzahzsKs" variable (highlighted in green) is used to build the new deobfuscated VBScript code, which is then stored in the "KcpDUogbNYDXMyAdePwN" variable and executed using the EXECUTE command. The deobfuscated code can be obtained by commenting out the EXECUTE command and substituting it with the Wscript.StdOut.Write function (shown in the red box), and then executing the obfuscated .vbs script at the command prompt using the cscript command.


Figure 4. Obfuscated .vbs script that downloads AdWind RAT. (Source: Dell SecureWorks)

Figure 5 shows a segment of the deobfuscated .vbs script. The code has been commented by the attacker. If a check reveals that JRE is not installed on the system, the script attempts to download a version of JRE based on the operating system architecture (32-bit or 64-bit). The download URLs for the JRE are highlighted in the red box. The avppet . com domain resolves to IP address 173 . 254 . 37 . 144.


Figure 5. Deobfuscated .vbs script that downloads the AdWind RAT. (Source: Dell SecureWorks)

The script then downloads and executes the Adwind RAT .jar file (PO2016_PDF.jar) from http: //ge . tt/api/1/files/5jevrdW2/0/blob?download. The ge . tt domain is hosted on Amazon Web Services IP address space and may also be connected to s3 . kkloud . com . s3 . amazonaws . com.

To mitigate exposure to these threats, CTU researchers recommend that organizations use available controls to restrict access using the indicators in Table 1. The URLs, domains, and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator

Type

Context

b8106a2a42f68f1d84c47fb1375833bb1e7dd210f358b4bb81bf1c2adf2cc5a7

SHA256 hash

AdWind RAT .jar file

a593e1504d0a01fb66f0081ffa311cd6

MD5 hash

AdWind RAT .jar file

6ea105a93c804d11d1c3c6fe405b52cf2a7fa716e32190f1424302611446f502

SHA256 hash

AdWind RAT .jar file (PO2016_PDF.jar)

7fb6f134cce1a187d104ad9062b2a139

MD5 hash

AdWind RAT .jar file (PO2016_PDF.jar)

d1853eefe67eb9828da6f6cf1d0b32385bddc930a83450b5f050d0dcedea3913

SHA256 hash

AdWind RAT .jar file

6ab9c4547c9f9d1a634c2c496a08d417

MD5 hash

AdWind RAT .jar file

a12d2feb590152438c4f66bf84bede7b7696f2cf7c82c358c0800bc9b6a36760

SHA256 hash

AdWind RAT .jar file (00670380000452.jar)

6bee0eefb649a78d90d3961e290f7c7d

MD5 hash

AdWind RAT .jar file (00670380000452.jar)

677055e9d6819f8eeff7b1bacfe40d3bda7611bd5bdb3c234084e8a47f06a03c

SHA256 hash

Obfuscated .vbs script (PO2016_PDF.jar.vbs), downloads AdWind RAT .jar file

0557257b83751f96338149540122997b

MD5 hash

Obfuscated .vbs script (PO2016_PDF.jar.vbs), downloads AdWind RAT .jar file

f38df5a5babe1f48a65777549b63aaa8b6fbdd64aa1534f71b4df8ccd497d275

SHA256 hash

ZIP archive (RTGSpayment.zip) containing AdWind RAT .jar file

8cf9a5e2d9322a104b98acbc01b00ce1

MD5 hash

ZIP archive (RTGSpayment.zip) containing AdWind RAT .jar file

euforiafryz . pl/tmp/RTGSpayment.zip

URL

AdWind RAT .jar file download link

avppet . com/wp-includes/js/tinymce/plugins/media/Oracle_32.zip

URL

32-bit Java Runtime (JRE) download link used by AdWind RAT

avppet . com/wp-includes/js/tinymce/plugins/media/Oracle_64.zip

URL

64-bit Java Runtime (JRE) download link used by AdWind RAT

avppet . com

Domain name

Download domain for 32-bit or 64-bit Java Runtime (JRE) by AdWind RAT

173 . 254 . 37 . 144

IP address

Hosts avppet . com domain that AdWind uses for Java Runtime (JRE) download (ASN = 46606, Unified Layer; Location = USA)

euforiafryz . pl

Domain name

Download domain for AdWind RAT (resolves to 46 . 242 . 145 . 100)

46 . 242 . 145 . 100

IP address

Hosts download domain euforiafryz . pl for AdWind RAT (ASN = AS12824; Location = Poland)

200 . 107 . 120 . 254

IP address

AdWind RAT C2 server (ASN = AS14754, Telgua; ISP = SERCOM de Honduras; Location = Tegucigalpa, Honduras)

pepepepe . myvnc . com

Domain name

AdWind RAT C2 server (resolved to 200.107.120.254)

89 . 163 . 154 . 141

IP address

AdWind RAT C2 server (ASN = AS13301; ISP = UNITED COLO GmbH; Location = Germany)

millzjsocsingwi80gm . duckdns . org

Domain name

AdWind RAT C2 server (resolved to 89 . 163 . 154 . 141)

milzwiregma . no-ip . biz

Domain name

AdWind RAT C2 server (resolved to 89 . 163 . 154 . 141)

185 . 17 . 1 . 229

IP address

AdWind RAT C2 server (ASN = AS16262; Location = Moscow, Russian Federation)

edebiyazarlar . com

Domain name

AdWind RAT C2 server (resolved to 91 . 121 . 146 . 38)

ebediyazarlar . com

Domain name

AdWind RAT C2 server (resolved to 91 . 121 . 146 . 38)

kulturatesesi . com

Domain name

AdWind RAT C2 server (resolved to 91 . 121 . 146 . 38)

91 . 121 . 146 . 38

IP address

AdWind RAT C2 server (ASN = AS16276; ISP = OVH Systems; Location = France)

Table 1. Indicators for this threat.



ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.