Threat Management, Malware, Phishing

SWIFT Grift: Fake financial messaging service emails deliver Adwind RAT

An email phishing campaign launched this month attempted to infect spam recipients with the Adwind cross-platform RAT by fooling them into thinking they received an important financial document from the SWIFT financial messaging system.

According to a Feb. 21 blog post from Comodo Group's Threat Research Lab, the spam messages falsely alerted recipients to a wire bank transfer made to their designated bank accounts, and advised them to review an attached document to ensure there are no discrepancies. However, this supposedly legitimate pdf.z was is actually Adwind, which goes by jRAT, AlienSpy, Frutas, and other nicknames.

Comodo explains that disguising malicious emails as SWIFT communications is particularly effective because money can sometimes provoke can emotional response that overrides critical thinking, making it more likely someone will open the attachment.

“If an employee receives an email, they will be afraid to not open it,” the blog post states. “What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow.”

Company researchers suspect that Adwind was likely used in this instance to spy and perform reconnaissance on victims, as well as to download additional malware programs based on what attackers were able to learn about the infected environments.

Taking place on Feb. 9, this particular attack campaign displayed a Turkish contact address as well as the email sender address [email protected], and stemmed from IP addresses located in Cyprus, the Netherlands and Turkey.

“As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise's network,” said Fatih Orhan, head of Comodo Threat Research Lab, in the blog post. “They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.