ENSILO BLOG

enSilo Blocks New Variant of Adwind RAT

Adwind is an infamous Remote Access Trojan (RAT) was first discovered in 2013.  A new variant of Adwind RAT was detected and blocked by enSilo, while other anti-virus agents (AV) failed to detect, according to VirusTotal.

SUMMARY

 

On March 27, 2018, enSilo’s post protection platform detected and blocked a new variant of the Adwind Remote Access Trojan (RAT), across multiple customer environments. This threat was only a small portion of an Adwind campaign that started around the beginning of 2018. Adwind is an infamous RAT that was first discovered in 2013. It’s a Java, cross-platform, multifunctional RAT. Hence, it is also known as jRAT.

Adwind RAT main capabilities are:

  • Capturing screenshots
  • Logging keystrokes
  • Recording audio from the microphone
  • Recording videos and taking pictures using connected webcams
  • Uploading files to the Command and Control (C&C) server
  • Downloading and executing

This new variant looks just like old Adwind RAT variants. However, when the attacks took place, this new variant was not detected by any commercial Anti-Virus (AV) engines in VirusTotal. On April 2, 2018, this variant was detected by 11 AV engines only. This was a low detection amount in comparison to previous Adwind RAT variants. Figure 1 emphasizes this comparison.

Figure 1-6

Figure 1 - New "Adwind" variant analysis results on VirusTotal

Malware analysis


The Adwind RAT is commonly distributed in a massive spam campaigns via a phishing email that either contains an attached JAR file or as a download hyperlink, attempting to lure the victim to click on it. This new Adwind RAT variant was downloaded from a hyperlink and the file name associated with this threat was InvoicePAYMENT.jar. The victim accidentally executed this file thinking the file was a document of an invoice payment.

When analyzing an Adwind JAR file variant using a Java bytecode decompiler, it’s preferable to use a decompiler like Procyon and not JD-GUI. The JD-GUI decompiler typically has a problem to decompile some of the bytecode commands and the Adwind RAT uses obfuscation techniques to defeat decompilers. For example, in JD-GUI, the main function looks empty, while on Procyon, there is a call to a static function as shown in Figure 2.

 

blog 2

 

Figure 2 – The JAR main function. In the left, JD-GUI decompiler view, in the center “Procyon” decompiler view and in the right “ByteCode” decompiler view.

 

To make things harder to analyze the dropper JAR file, the classes, functions and variable names were changed to random generated words. The dropper JAR file includes many resource encrypted files. The Java code that runs in runtime is executed using “ScriptEngine” object by calling its “eval” java function on concatenated static strings, which are located in different classes.
Figure 3 shows a part of the decompiled obfuscated code from that JAR file.

Figure 3-4

Figure 3 – Part of the decompiled obfuscated code

 

Previous analysis of Adwind RAT variants, suggested that there was a built-in configuration file and that they get configurations during the execution. This configuration file typically contains a C&C domain or remote IP address, target port, encryption keys and so on. Figure 4 shows a configuration file used by this new Adwind RAT variant.

 

Figure 4-5

Figure 4 - The "Adwind" decrypted configuration file

 

This new Adwind RAT variant works as the previous variants in the following manner:

  1. The dropper drops the payload JAR file to the %temp% directory and executes it.
  2. Checks if there are AV and firewall applications installed on the affected system using Visual Basic script (VBscripts).
  3. Copy itself (The JAR dropper) to a new directory in the %userprofile% Then the folder attribution is changed to hidden to hide the folder.
  4. In an effort to achieve persistency on the affected system the RAT performs the following steps:

             a.  Copy the original Java installation directory to %appdata%\Oracle folder location.

             b.  Creates a new value in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry                     key, which runs the dropper JAR after Windows booted and the user has logged on into                             the affected system.

enSilo Blocks Adwind RAT

 

enSilo’s post protection platform blocks Adwind as it attempts to access the internet as shown in    Figure 5.

Figure 5-5

Figure 5: blocked "Adwind" C&C communicate attempt

Since, this new Adwind RAT variant was blocked in real-time from communicating with its C&C server, it wasn’t able to perform any further activities. Simply meaning that the threat was contained, without causing any damage.

There are quite few variants of Adwind\jRAT in the wild and new ones are constantly being discovered. enSilo’s post-infection protection platform, which is not based on signatures, enables to reduce dwell time while preserving business continuity.

IOCs

 
File and hashes of the analyzed samples:

Filename: InvoicePAYMENT.jar 

SHA256: 7D08062CBB665D6949ED9C14A4E21A90529462781DF95A5BBC324D747C8BA1C1

Filename: Adwind.class (The payload JAR file in %temp% directorySHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9

File paths

%userprofile%\GAEPgWElmjjThe hidden directory where the dropper JAR copy itself to.

Persistence in Registry

 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zmfHdflEMwn

File hashes of additional samples – SHA256:

 
2986c37f0cc4c3c9b5ade1ebe68780394e8ec7b42ff4029c37d9ee901c6a2e4f

424d048d33425459342c3653bcec0091126c9a40afccf30153f20ff9fbbc617a

0a75aef5636e11846990ca7f5e4f4b9873660f7c401d27e466785fa6f53d18da

5a075903a861027c90194214676f523ba4901a58a8c582bb7f7513c1ba347630

f25b67a10232b97d9dbfde294a8c3ce7b2914deb7252ce612ee2c0165643d319

55a5478d6b853de4c9c1ccfcbd19424cb14df88e9facb7da60932017230beb90

84788f4cb12f251a22d94d12d08f2fbcef4c678b2c74cb1ad36470b8b49c99df

DNS from the analyzed sample configuration

 

rdpagain[.]duckdns[.]org

This domain was still blacklisted by multiple security vendors during the time of writing this report.

 

IP addresses:

 
134[.]19[.]180[.]230

185[.]209[.]85[.]184

146[.]255[.]79[.]185

185[.]227[.]83[.]56

References

https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html



 

 

SANS review of ensilo

CATEGORIES

FEATURED ARTICLES

tag cloud