{ "Event": { "analysis": "2", "date": "2017-07-12", "extends_uuid": "", "info": "OSINT - Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind", "publish_timestamp": "1499873068", "published": true, "threat_level_id": "3", "timestamp": "1499872080", "uuid": "59663a31-f174-44a6-adb7-4339950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:rat=\"Adwind RAT\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": false, "type": "link", "uuid": "59663a62-9cbc-43f7-9be5-468c950d210f", "value": "https://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": false, "type": "text", "uuid": "59663a79-0e9c-4ca8-b8f2-463f950d210f", "value": "Cybercriminals are opportunists. As other operating systems (OS) are more widely used, they, too, would diversify their targets, tools, and techniques in order to cash in on more victims. That\u00e2\u20ac\u2122s the value proposition of malware that can adapt and cross over different platforms. And when combined with a business model that can commercially peddle this malware to other bad guys, the impact becomes more pervasive.\r\n\r\nCase in point: Adwind/jRAT, which Trend Micro detects as JAVA_ADWIND. It\u00e2\u20ac\u2122s a cross-platform remote access Trojan (RAT) that can be run on any machine installed with Java, including Windows, Mac OSX, Linux, and Android.\r\n\r\nUnsurprisingly we saw it resurface in another spam campaign. This time, however, it\u00e2\u20ac\u2122s mainly targeting enterprises in the aerospace industry, with Switzerland, Ukraine, Austria, and the US the most affected countries.\r\n\r\nAdwind operators are active\r\nThe spam campaign actually corresponds to our telemetry for JAVA_ADWIND. In fact, the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It\u00e2\u20ac\u2122s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware.\r\n\r\nAdwind/jRAT can steal credentials, record and harvest keystrokes, take pictures or screenshots, film and retrieve videos, and exfiltrate data. Adwind iterations were used to target banks and Danish businesses, and even turned infected machines into botnets.\r\n\r\nNotorious as a multiplatform do-it-yourself RAT, Adwind has many aliases: jRAT, Universal Remote Control Multi-Platform (UNRECOM), AlienSpy, Frutas, and JSocket. In 2014 we found an Android version of Adwind/jRAT modified to add a cryptocurrency-mining capability. The fact that it\u00e2\u20ac\u2122s sold as a service means this threat can be deployed by more cybercriminals who can customize their own builds and equip them with diverse functionalities." }, { "category": "Payload delivery", "comment": "Related C&C servers - Port 1033", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "ip-dst|port", "uuid": "59663a9f-6da0-4221-a5c0-4e26950d210f", "value": "174.127.99.234|1033" }, { "category": "Network activity", "comment": "Related C&C servers:", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "url", "uuid": "59663a9f-d860-4ecc-b483-4775950d210f", "value": "http://vacanzaimmobiliare.it/testla/WebPanel/post.php" }, { "category": "Network activity", "comment": "Files and URLs related to Adwind/jRAT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "url", "uuid": "59663ab8-540c-4a16-8be3-4e07950d210f", "value": "http://ccb-ba.adv.br/wp-admin/network/ok/index.php" }, { "category": "Network activity", "comment": "Files and URLs related to Adwind/jRAT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "url", "uuid": "59663ab8-a9b8-440a-a3d2-48a8950d210f", "value": "http://www.employersfinder.com/2017-MYBA-Charter.Agreement.pif" }, { "category": "Network activity", "comment": "Files and URLs related to Adwind/jRAT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "url", "uuid": "59663ab8-47e8-46b4-abad-44ec950d210f", "value": "https://nup.pw/e2BXtK.exe" }, { "category": "Network activity", "comment": "Files and URLs related to Adwind/jRAT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "url", "uuid": "59663ab8-9408-45f5-b9b3-458e950d210f", "value": "https://nup.pw/Qcaq5e.jar" }, { "category": "Payload delivery", "comment": "TROJ_DLOADR.AUSUDT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha256", "uuid": "59663b1e-6168-4bc2-a032-43d9950d210f", "value": "3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.JEJPCO", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha256", "uuid": "59663b1e-5d84-43ab-bf38-4fe1950d210f", "value": "c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.AUJC", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha256", "uuid": "59663b1e-f8dc-45a2-ba8b-465d950d210f", "value": "97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9" }, { "category": "Payload delivery", "comment": "BKDR64_AGENT.TYUCT", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha256", "uuid": "59663b1e-1774-40ef-9945-4f08950d210f", "value": "705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb" }, { "category": "Payload delivery", "comment": "TROJ_DLOADR.AUSUDT - Xchecked via VT: 3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha1", "uuid": "59663b50-f894-41cb-a7a7-44ae02de0b81", "value": "6f15724ae6cf1dee7cf8380694f45f3e7769ebed" }, { "category": "Payload delivery", "comment": "TROJ_DLOADR.AUSUDT - Xchecked via VT: 3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "md5", "uuid": "59663b50-fc68-4833-a35c-472102de0b81", "value": "51f9e895441dffdf8e47c83208f85993" }, { "category": "External analysis", "comment": "TROJ_DLOADR.AUSUDT - Xchecked via VT: 3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": false, "type": "link", "uuid": "59663b50-3a38-4155-aeb1-424402de0b81", "value": "https://www.virustotal.com/file/3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4/analysis/1499861768/" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.AUJC - Xchecked via VT: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9", "deleted": false, "disable_correlation": false, "timestamp": "1499872080", "to_ids": true, "type": "sha1", "uuid": "59663b50-0d48-4228-a4c3-4a6402de0b81", "value": "9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.AUJC - Xchecked via VT: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": true, "type": "md5", "uuid": "59663b51-8920-42f3-a6f2-439e02de0b81", "value": "781fb531354d6f291f1ccab48da6d39f" }, { "category": "External analysis", "comment": "JAVA_ADWIND.AUJC - Xchecked via VT: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": false, "type": "link", "uuid": "59663b51-d480-4054-bf2f-443202de0b81", "value": "https://www.virustotal.com/file/97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9/analysis/1499851519/" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.JEJPCO - Xchecked via VT: c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": true, "type": "sha1", "uuid": "59663b51-a38c-46b1-9f38-41eb02de0b81", "value": "4f8e8bfea6846c11bb4b58eb07788bea61eadca0" }, { "category": "Payload delivery", "comment": "JAVA_ADWIND.JEJPCO - Xchecked via VT: c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": true, "type": "md5", "uuid": "59663b51-aea4-4825-bde4-4f6b02de0b81", "value": "41c6aae5e303e7f3118af6a3ca2566a8" }, { "category": "External analysis", "comment": "JAVA_ADWIND.JEJPCO - Xchecked via VT: c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": false, "type": "link", "uuid": "59663b51-fa94-4f1d-9c9c-41a702de0b81", "value": "https://www.virustotal.com/file/c16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b/analysis/1499871432/" }, { "category": "Payload delivery", "comment": "BKDR64_AGENT.TYUCT - Xchecked via VT: 705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": true, "type": "sha1", "uuid": "59663b51-f7dc-436c-9075-47ac02de0b81", "value": "0eb986bdc1c922a60d81040652d0e67dff3c5ab2" }, { "category": "Payload delivery", "comment": "BKDR64_AGENT.TYUCT - Xchecked via VT: 705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": true, "type": "md5", "uuid": "59663b51-7180-4b6b-9054-419602de0b81", "value": "829510245185976bd3e423dd8c55c683" }, { "category": "External analysis", "comment": "BKDR64_AGENT.TYUCT - Xchecked via VT: 705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb", "deleted": false, "disable_correlation": false, "timestamp": "1499872081", "to_ids": false, "type": "link", "uuid": "59663b51-611c-459e-87e0-473402de0b81", "value": "https://www.virustotal.com/file/705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb/analysis/1499247775/" } ] } }