enSilo Blocks New Variant of Adwind RAT
Adwind is an infamous Remote Access Trojan (RAT) was first discovered in 2013. A new variant of Adwind RAT was detected and blocked by enSilo, while other anti-virus agents (AV) failed to detect, according to VirusTotal.
On March 27, 2018, enSilo’s post protection platform detected and blocked a new variant of the Adwind Remote Access Trojan (RAT), across multiple customer environments. This threat was only a small portion of an Adwind campaign that started around the beginning of 2018. Adwind is an infamous RAT that was first discovered in 2013. It’s a Java, cross-platform, multifunctional RAT. Hence, it is also known as jRAT.
Adwind RAT main capabilities are:
- Capturing screenshots
- Logging keystrokes
- Recording audio from the microphone
- Recording videos and taking pictures using connected webcams
- Uploading files to the Command and Control (C&C) server
- Downloading and executing
This new variant looks just like old Adwind RAT variants. However, when the attacks took place, this new variant was not detected by any commercial Anti-Virus (AV) engines in VirusTotal. On April 2, 2018, this variant was detected by 11 AV engines only. This was a low detection amount in comparison to previous Adwind RAT variants. Figure 1 emphasizes this comparison.
Figure 1 - New "Adwind" variant analysis results on VirusTotal
The Adwind RAT is commonly distributed in a massive spam campaigns via a phishing email that either contains an attached JAR file or as a download hyperlink, attempting to lure the victim to click on it. This new Adwind RAT variant was downloaded from a hyperlink and the file name associated with this threat was InvoicePAYMENT.jar. The victim accidentally executed this file thinking the file was a document of an invoice payment.
When analyzing an Adwind JAR file variant using a Java bytecode decompiler, it’s preferable to use a decompiler like Procyon and not JD-GUI. The JD-GUI decompiler typically has a problem to decompile some of the bytecode commands and the Adwind RAT uses obfuscation techniques to defeat decompilers. For example, in JD-GUI, the main function looks empty, while on Procyon, there is a call to a static function as shown in Figure 2.
Figure 2 – The JAR main function. In the left, JD-GUI decompiler view, in the center “Procyon” decompiler view and in the right “ByteCode” decompiler view.
To make things harder to analyze the dropper JAR file, the classes, functions and variable names were changed to random generated words. The dropper JAR file includes many resource encrypted files. The Java code that runs in runtime is executed using “ScriptEngine” object by calling its “eval” java function on concatenated static strings, which are located in different classes.
Figure 3 shows a part of the decompiled obfuscated code from that JAR file.
Figure 3 – Part of the decompiled obfuscated code
Previous analysis of Adwind RAT variants, suggested that there was a built-in configuration file and that they get configurations during the execution. This configuration file typically contains a C&C domain or remote IP address, target port, encryption keys and so on. Figure 4 shows a configuration file used by this new Adwind RAT variant.
Figure 4 - The "Adwind" decrypted configuration file
This new Adwind RAT variant works as the previous variants in the following manner:
- The dropper drops the payload JAR file to the %temp% directory and executes it.
- Checks if there are AV and firewall applications installed on the affected system using Visual Basic script (VBscripts).
- Copy itself (The JAR dropper) to a new directory in the %userprofile% Then the folder attribution is changed to hidden to hide the folder.
- In an effort to achieve persistency on the affected system the RAT performs the following steps:
a. Copy the original Java installation directory to %appdata%\Oracle folder location.
b. Creates a new value in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key, which runs the dropper JAR after Windows booted and the user has logged on into the affected system.
enSilo Blocks Adwind RAT
enSilo’s post protection platform blocks Adwind as it attempts to access the internet as shown in Figure 5.
Figure 5: blocked "Adwind" C&C communicate attempt
Since, this new Adwind RAT variant was blocked in real-time from communicating with its C&C server, it wasn’t able to perform any further activities. Simply meaning that the threat was contained, without causing any damage.
There are quite few variants of Adwind\jRAT in the wild and new ones are constantly being discovered. enSilo’s post-infection protection platform, which is not based on signatures, enables to reduce dwell time while preserving business continuity.
File and hashes of the analyzed samples:
Filename: Adwind.class (The payload JAR file in %temp% directory) SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
%userprofile%\GAEPgWElmjj – The hidden directory where the dropper JAR copy itself to.
Persistence in Registry
File hashes of additional samples – SHA256:
DNS from the analyzed sample configuration
This domain was still blacklisted by multiple security vendors during the time of writing this report.