Modern cyber-attacks against well-defended enterprises are not as simple as you may think. They are comprised of many components in charge of different tasks.  For example, if an attacker wishes to execute a destructive attack it will require at least:

  • A backdoor for reconnaissance and stealing sensitive information later to be publicly released, enabling the deployment of future modules
  • A destructive wiper module for rendering endpoints unusable
  • A worm-like component for distributing the malware across the organization

The RAT (Remote Administration Tool or Remote Access Trojan) is a key component in such attacks. Once an initial foothold is established, it enables attackers to collect sensitive data and intelligence from the target and execute secondary payloads like the wiper in our example. It is common to buy an “off-the-shelf” RAT sold at as low a price as 20-30 US dollars or even for free.

Although this type of malware has many families and strains almost any RAT will include:

  • A keylogger
  • Modules for watching and listening to the webcam and microphone
  • Functionality to steal credentials from sensitive software such as browsers, SSH or FTP clients
  • Capability to execute secondary payloads on the target machine

The above capabilities combined with the high availability of RATs make it a go-to solution for attackers where an “all-around player” malware is required.

Staying Stealthy by Exhausting Traditional Security Products

“Commodity” RATs are used by individuals but during the past decade we’ve seen it used by cybercrime gangs and state-sponsored threat actors as well.

For petty thieves and state sponsored actors alike, a key factor for successfully infecting the target is staying undetected by ALL security products. It is a challenge to keep your tool undetected, especially when using commodity malware. As anyone may purchase the same RAT – it is effectively shared across an unknown number of other attackers. You can assume that:

  • ‍Some may be less skilled in their actions and cause the detection of the tool
  • Other “attackers” may be intelligence divisions of security vendors

Both cases will result in malware analysts trying to investigate the malware, challenging them to deploy signatures detecting the new variant as soon as possible. The rapid deployment of such signatures will render the intercepted variant useless against potential victims with updated signatures.

The operators of RATs are aware of this potential threat to their ventures; therefore, they will try to disguise their malware, obfuscating its true nature. While there are many different techniques to obfuscate a malware, any decent implementation will result in a payload which is highly difficult to generically sign and detect, generating different-looking payloads even when created by the same perpetrator. Moreover, during this “packing” process, capabilities to detect security analysis tools and sandboxes are added. It might sound complex, but creating a weaponized, obfuscated and evasive RAT instance is just a click away nowadays.

‍An example for the result of Java obfuscation, the disguised output on the right – note the random names and the lack of structure in comparison to the un-obfuscated code on the left

Java RATs & Adwind

Malware written in Java is a double challenge for security companies – it is obfuscated like similar malicious software, but unlike others it is not compiled into an executable. The delivered payload is written in an “intermediate language”, interpreted to machine code only when it is executed. This structure challenges both traditional and NG vendors, as their techniques are struggling to handle it.

Defenders’ limitations against Java threats made it an increasingly common technology in the RAT world. There are many known “products” in this market, including:

  • ‍jRAT
  • jSocket
  • Adwind
  • Frutas\jFrutas
  • Alienspy
  • Unrecom

According to Kaspersky’s researchers they all share a similar base, but at the very least they are branded and sold separately.

Although it is based on a different technology behind the scenes, Java-based RATs are distributed just like any other malware.

Recently we witnessed a campaign demonstrating all the above properties, based on the Adwind RAT as the main component of the attack.

It was spread by attaching the Java executable (.jar) to a luring phishing email directly. This specific RAT was a key component in campaigns against banks and one of its variants was linked to the assassination of Alberto Nisman.

‍Adwind attached to a phishing email

Although you may think this type of threat can be easily detected by blocking all .jar attachments – the reality is that attackers abuse the fact that you can enforce limitations on email clients to some extent without harming users’ activity. They use many ways to deliver Adwind, as the evolution of this in-the-wild threat proves. We’ve already witnessed how it is attached as a ZIP and even as an embedded URL.

‍Adwind, attached within a ZIP file (credit: MyOnlineSecurity)
‍Adwind, embedded as a URL (credit: MalwareTrafficAnalysis)

The Adwind malware functionality from the latest campaign wasn’t different from earlier campaigns, demonstrating the following capabilities:

  • ‍Achieving persistence by modifying the registry and replicating itself to the temporary files folder
  • Virtual machine detection – commonly used as a sandbox or by security researchers, terminating itself if found
  • Gathering information about various products installed on the endpoint using WMI
  • Terminating over ~125 applications including popular AVs and popular malware reverse-engineering software like Wireshark
  • Stealing credentials from Outlook, common messaging applications and browsers
  • Disabling Windows’ User Access Control (UAC) and other security features.
  • Generic modules for recording keystrokes, microphone and webcam.

Adwind’s technical properties and a YARA rule to detect it are available in the last section of this post.

Overcoming Obfuscation Simply and Elegantly

We at Minerva understood that malware can be obfuscated in countless ways, but if it wishes to stay under the radar – testing for the presence of dangerous environment greatly reduces that likelihood. Adwind is a good example for this evasive behavior, as it tests if it is executed in either VirtualBox or VMware virtual machine prior to any malicious activity.

‍Adwind seeking VirtualBox and VMware

Minerva’s Hostile Environment Simulation, part of the Minerva Anti-Evasion Platform excels against threats trying to stay under the radar and Adwind is just another proof for that. The test for these artifacts is well obfuscated and hidden by the inherited properties of Java – yet, it must be performed somehow. Minerva’s endpoint protection solution intercepts the test and makes the malware think its greatest fears are present. This groundbreaking technology prevents the execution of Adwind and other RATs, no matter how it is obfuscated.

 

IoC

YARA Rule

rule Adwind

{

meta:

author=””Asaf Aprozper, asafa AT minerva-labs.com””

description = “”Adwind RAT””

last modified = “”2017-06-25″”

strings:

$a0 = “”META-INF/MANIFEST.MF””

$a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/

$PK = “”PK””

condition:

$PK at 0 and $a0 and $a1

}

SHA256

  • ‍6b433bba98d141bd659c72f543aab0edd13f7bf245109644a9586abd3735ca8f
  • 41df30e6ad126cea230cc9e6f61a81548ce452d3ab98a64be87f2f896c5682d5
  • dce25a6cc0f9b488c12b77a2b770bf3c6a9979e273122b42f54413062ced4077
  • f83201512e3433dabdc6e70af6e2bd52b9f90a68c1ad022e6e5d89312dc7cd66
  • bd62b29b77779f6a0fb9e0ebc2099404fa0dad8f0d8efe4495aca3e76bf7cee5
  • f2ed70a8bc3000fd60a60d50721586879b9df04e75ee275220848e1182ade34b
  • 5dd04af1d1221d5677a6ea378ae69ffa967f684b328cd9c090a6ac1a0262a90f
  • a5b987b633102b94d2587625666d95aec259e008a3965cf88ee826d02e4bb24d
  • dd755237028495944d2e43b2f4b48acaea2d7e3931683e78f69fcd66d6aa33c8

Email Subjects

  • ‍MyFax message from “<COMPANY NAME>” – 4 page(s), Caller-ID: 1-516-799-6300″
  • 转发: TRY5000001054739 wire recall and 转发: Payment
  • Re: Documents of shipment(TOP URGENT)

Terminated Processes

  • ProcessHacker.exe
  • procexp.exe
  • MSASCui.exe
  • MsMpEng.exe
  • MpUXSrv.exe
  • MpCmdRun.exe
  • NisSrv.exe
  • ConfigSecurityPolicy.exe
  • procexp.exe
  • wireshark.exe
  • tshark.exe
  • text2pcap.exe
  • rawshark.exe
  • mergecap.exe
  • editcap.exe
  • dumpcap.exe
  • capinfos.exe
  • mbam.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • AdAwareService.exe
  • AdAwareTray.exe
  • WebCompanion.exe
  • AdAwareDesktop.exe
  • V3Main.exe
  • V3Svc.exe
  • V3Up.exe
  • V3SP.exe
  • V3Proxy.exe
  • V3Medic.exe
  • BgScan.exe
  • ullGuard.exe
  • BullGuardBhvScanner.exe
  • BullGuarScanner.exe
  • LittleHook.exe
  • BullGuardUpdate.exe
  • clamscan.exe
  • ClamTray.exe
  • ClamWin.exe
  • cis.exe
  • CisTray.exe
  • cmdagent.exe
  • cavwp.exe
  • dragon_updater.exe
  • MWAGENT.EXE
  • MWASER.EXE
  • CONSCTLX.EXE
  • avpmapp.exe
  • econceal.exe
  • escanmon.exe
  • econser.exe
  • VIEWTCP.EXE
  • FSHDLL64.exe
  • fsgk32.exe
  • fshoster32.exe
  • FSMA32.EXE
  • fsorsp.exe
  • ssm32.exe
  • FSM32.EXE
  • trigger.exe
  • FProtTray.exe
  • FPWin.exe
  • FPAVServer.exe
  • AVK.exe
  • GdBgInx64.exe
  • AVKProxy.exe
  • GDScan.exe
  • AVKWCtlx64.exe
  • AVKService.exe
  • AVKTray.exe
  • GDKBFltExe32.exe
  • GDSC.exe
  • virusutilities.exe
  • guardxservice.exe
  • guardxkickoff_x64.exe
  • iptray.exe
  • freshclam.exe