Threat Management, Malware, Phishing

Attackers use evolved code injection technique to target Turkey with Adwind RAT

A new spam campaign that debuted last August is attempting to infect Turkish targets with the Adwind 3.0 remote access tool, using a previously undiscovered variant of a code injection attack that exploits Microsoft's Dynamic Data Exchange (DDE) data transfer protocol.

A key improvement to this variant is that it features new techniques to avoid anti-malware software detection, according to researchers from Cisco Systems' Talos division and ReversingLabs, who jointly studied the threat and both published blog posts detailing their observations.

The ongoing campaign, which commenced on Aug. 26 and peaked on Aug. 28, uses droppers with .csv or .xlt extensions, both of which are formats that Microsoft Excel opens by default. Naturally, the attackers are sending out phishing emails containing Excel attachments -- including one sample that attempted to entice victims with a message about the cost of footwear.

The attackers attempt to disguise the dropper files by giving them innocuous-looking file extensions such as .htm, .xls and .txt. Certain formats, such as .csv (comma-separated values), don't have predefined headers -- meaning they can can contain any kind of random data at the beginning, which could "trick the anti-virus into skipping the file scanning," Talos reports. "Other formats may be considered corrupted, as they might not follow the expected format."

Excel does display pop-up warnings before the suspicious attachment is opened, but the if the user nonetheless approves, the malware creates and executes a VBScript that uses the Microsoft tool bitasdmin to produce Adwind RAT v3.0 -- the main payload.

Written in Java and packed for obfuscation, the RAT can attack Linux, Mac OSX and Windows platforms. "This RAT is used by several malicious groups. It gives its operators the ability to execute any kind of commands on its victims, log keystroke, take screenshots, take pictures or transfer files," Talos reports. "In the past, it has been used to run cryptocurrency mining campaigns and in a separate attack that targeted the aviation industry.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.