|
Updated 2015-08-18 to include information on AlienSpy transitioning to JSocket v1.0. Introduction Since mid-July 2015, I've noticed an increase in malicious spam (malspam) caught by my employer's spam filters with java archive (.jar file) attachments. These .jar files are most often identified as Adwind. Adwind is a Java-based remote access tool (RAT) used by malware authors to infect computers with backdoor access. There's no vulnerability involved. To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file. Of course, you have to have the Java Runtime Environment installed, which many people do. I previously associated Adwind with targeted phishing attempts in limited amounts. I had found very few examples of non-targeted malspam using this RAT. However, we're currently seeing enough Adwind-based malspam to ask: Is Adwind now another payload for botnet-based malspam? Background Adwind originated from the Frutas RAT [1]. Frutas was a Java-based RAT discovered by Symantec from underground forums in early 2013 [2]. By the summer of 2013, the name had changed to Adwind, and signatures for Adwind-based malware were implemented by anti-virus companies [3]. In November of 2013, Adwind was rebranded and sold under a new name: UNRECOM (UNiversal REmote COntrol Multi-platform) [1]. Throughout 2013, we noticed a few occasions of Adwind used in phishing attempts. 2014 saw an increase of Adwind/UNRECOM malware used in phishing campaigns targeting "U.S. state and local government, technology, advisory services, health, and financial sectors" [4]. By April 2015, a new Adwind/UNCRECOM variant called AlienSpy was widely reported, and this new variant included Transport Layer Security (TLS) encryption for command-and-control communications. These TLS communications involve certificates. EmergingThreats posted a signature for Adwind-based certificates in March of 2015 [5], and Fidelis CyberSecurity Solutions published an in-depth report on AlienSpy the following month [6]. Recent updates
The naming progression appears to be: Frutas -> Adwind -> UNRECOM -> AlienSpy -> JSocket. From what I can tell, it's all been Java-based malware sent as .jar file attachments in phishing emails. Many people still refer to it as Adwind, which is how I see it identified most often. Not counting targeted attempts, I've found Adwind-based malspam maybe once every month or two. That changed in mid-July 2015. After that, the amount of malspam with Adwind increased dramatically. Currently, I see at least one Adwind-based malspam every day on average. The frequency of this malspam along with the variety of subject lines, attachment names, and senders indicate Adwind is no longer limited to targeted attacks. Frutas/Adwind/UNRECOM/AlienSpy/JSocket (whatever you want to call it) appears to be another payload for botnet-based malspam. The emails Here's a sample of the different senders, subjects, and attachment names I've seen for Adwind-based malspam since mid-July 2015: Read: Date -- Sender (most often spoofed) -- Subject -- Attachment name(s)
Prior to that, I saw Adwind-based malware maybe once every month or two. I never paid much attention to it until I noticed the recent increase. Some screenshots are shown below:
The malware I collected some samples during the past week and examined them. With the appropriate software packages installed, I could use the command jar tf [filename] to list the contents of the Java archive. Most (but not all) of the .jar files had this internal file structure:
Command and control communications Samples collected during the past week show the following TLS-encrypted SSL traffic after the infection: Read: host name - IP address - port
I examined a pcap from the last malware sample above, with command-and-control traffic on TCP port 1818. You can find the certificate associated with Adwind in Wireshark. First, follow a TCP stream with the traffic on port 1818. From the Wireshark menu, select: Analyze -> Decode As.
In the window that pops up, select the Transport tab and scroll down to SSL, then apply.
Wireshark will now parse this TCP stream as SSL. You can find the certificate information as shown in the image below:
This still shows the same certificate information used since EmergingThreats tagged it in their snort signature from March 2015 [5]. I saw the same certificate information used last week [10], and it continues this week.
Currently, this may be the best way to identify Adwind-based post-infection traffic. Look for SSL traffic on a non-standard TCP port using that particular certificate. Malware samples Below, I've included information on examples for Adwind malware found during the past week: File name: Invoice-Processed.jar
File name: Products List.jar
File name: Purchase Order (PO).jar
File name: Invoice.jar
File name: DHL SHIPPING DOCUMENTS PDF.jar
File name: Request Quotation Item.jar
File name: Price Check.jar
File name: Invoice.jar
File name: CDX30404.jar
File name: PO#192603.jar
Final words I collected some emails from the past few days, sanitized them, and saved them to a zip archive. That archive is available at: The zip archive is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. This malspam might all be from the same botnet, but I haven't had time to dig through the malware samples to confirm. Furthermore, my view is limited to whatever I collect from the spam filters at my current employer. I suspect other organizations with access to more data have better insight. If any of you have encountered examples of this malspam, feel free to share in the comments. --- References: [1] http://blog.crowdstrike.com/adwind-rat-rebranding/ |
Brad 436 Posts ISC Handler Aug 18th 2015 |
| Thread locked Subscribe |
Aug 18th 2015 6 years ago |
|
| To infect a Windows computer, the user has to execute the
| malware by double-clicking on the .jar file. Really? Standard installations of Windows dont have an association for .JAR files! |
Anonymous |
| Quote |
Aug 14th 2015 6 years ago |
|
Good point! You have to have Java Runtime Environment installed. Forgot to mention that in the article. I'll fix that. But otherwise it works that way, at least for what I've seen.
|
Brad 436 Posts ISC Handler |
| Quote |
Aug 14th 2015 6 years ago |
|
IFF you really need to have a Java Runtime Environment installed: do you ALSO really need to have your users run arbitrary .JAR files?
If not then (consider to) enable Software Restriction Policies a.k.a. SAFER to deny execution in %USERPROFILE% and add .JAR as "executable" extension, or restrict the JRE to run only (properly) signed .JAR files. |
Anonymous |
| Quote |
Aug 15th 2015 6 years ago |
|
All of the ones we have seen recently will not work under Java 1.8 but do reliably work under Java 1.6 and 1.7
Running it on a test machine using Java 1.8 gives a pop up warning saying 1.8 found, needs 1.7 Provided a user has the latest Version of Java installed the current risk form these is vastly lessened. We have been seeing these create an Image File Execution Options to block most common anti-virus products form running |
DVK01 21 Posts |
| Quote |
Aug 19th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
