A new spam campaign that debuted last August is attempting to infect Turkish targets with the Adwind 3.0 remote access tool, using a previously undiscovered variant of a code injection attack that exploits Microsoft's Dynamic Data Exchange (DDE) data transfer protocol.
A key improvement to this variant is that it features new techniques to avoid anti-malware software detection, according to researchers from Cisco Systems' Talos division and ReversingLabs, who jointly studied the threat and both published blog posts detailing their observations.
The ongoing campaign, which commenced on Aug. 26 and peaked on Aug. 28, uses droppers with .csv or .xlt extensions, both of which are formats that Microsoft Excel opens by default. Naturally, the attackers are sending out phishing emails containing Excel attachments -- including one sample that attempted to entice victims with a message about the cost of footwear.
The attackers attempt to disguise the dropper files by giving them innocuous-looking file extensions such as .htm, .xls and .txt. Certain formats, such as .csv (comma-separated values), don't have predefined headers -- meaning they can can contain any kind of random data at the beginning, which could "trick the anti-virus into skipping the file scanning," Talos reports. "Other formats may be considered corrupted, as they might not follow the expected format."
Excel does display pop-up warnings before the suspicious attachment is opened, but the if the user nonetheless approves, the malware creates and executes a VBScript that uses the Microsoft tool bitasdmin to produce Adwind RAT v3.0 -- the main payload.
Written in Java and packed for obfuscation, the RAT can attack Linux, Mac OSX and Windows platforms. "This RAT is used by several malicious groups. It gives its operators the ability to execute any kind of commands on its victims, log keystroke, take screenshots, take pictures or transfer files," Talos reports. "In the past, it has been used to run cryptocurrency mining campaigns and in a separate attack that targeted the aviation industry.