Adwind: another payload for botnet-based malspam

Adwind: another payload for botnet-based malspam
Updated 2015-08-18 to include information on AlienSpy transitioning to JSocket v1.0. Introduction Since mid-July 2015, I've noticed an increase in malicious spam (malspam) caught by my employer's spam filters with java archive (.jar file) attachments. These .jar files are most often identified as Adwind. Adwind is a Java-based remote access tool (RAT) used by malware authors to infect computers with backdoor access. There's no vulnerability involved. To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file. Of course, you have to have the Java Runtime Environment installed, which many people do. I previously associated Adwind with targeted phishing attempts in limited amounts. I had found very few examples of non-targeted malspam using this RAT. However, we're currently seeing enough Adwind-based malspam to ask: Is Adwind now another payload for botnet-based malspam? Background Adwind originated from the Frutas RAT [1]. Frutas was a Java-based RAT discovered by Symantec from underground forums in early 2013 [2]. By the summer of 2013, the name had changed to Adwind, and signatures for Adwind-based malware were implemented by anti-virus companies [3]. In November of 2013, Adwind was rebranded and sold under a new name: UNRECOM (UNiversal REmote COntrol Multi-platform) [1]. Throughout 2013, we noticed a few occasions of Adwind used in phishing attempts. 2014 saw an increase of Adwind/UNRECOM malware used in phishing campaigns targeting "U.S. state and local government, technology, advisory services, health, and financial sectors" [4]. By April 2015, a new Adwind/UNCRECOM variant called AlienSpy was widely reported, and this new variant included Transport Layer Security (TLS) encryption for command-and-control communications. These TLS communications involve certificates. EmergingThreats posted a signature for Adwind-based certificates in March of 2015 [5], and Fidelis CyberSecurity Solutions published an in-depth report on AlienSpy the following month [6]. Recent updates 2015-04-10: AlienSpy domain suspended by Godaddy shortly after a report on this RAT was published by Fidelis [7]. 2015-04-19: JSocket.org registered through eNom. 2015-06-23: JSocket.org's first blog entry stating the project started on 2015-06-23 [8]. 2015-07-10: Another entry (now removed) states AlienSpy would stop on 2015-07-11, telling AlienSpy users to update to JSocket. As recently as 2015-08-18, a site called Rekings currently shows its AlienSpy entry tagged as JSocket v1.0 [9]. Shown above: Blog entry showing AlienSpy transitioned to JSocket on 2015-07-11. Shown above: At least one reseller has tagged AlienSpy as JSocket v1.0. The naming progression appears to be: Frutas -> Adwind -> UNRECOM -> AlienSpy -> JSocket. From what I can tell, it's all been Java-based malware sent as .jar file attachments in phishing emails. Many people still refer to it as Adwind, which is how I see it identified most often. Not counting targeted attempts, I've found Adwind-based malspam maybe once every month or two. That changed in mid-July 2015. After that, the amount of malspam with Adwind increased dramatically. Currently, I see at least one Adwind-based malspam every day on average. The frequency of this malspam along with the variety of subject lines, attachment names, and senders indicate Adwind is no longer limited to targeted attacks. Frutas/Adwind/UNRECOM/AlienSpy/JSocket (whatever you want to call it) appears to be another payload for botnet-based malspam. The emails Here's a sample of the different senders, subjects, and attachment names I've seen for Adwind-based malspam since mid-July 2015: Read: Date -- Sender (most often spoofed) -- Subject -- Attachment name(s) 2015-07-14 -- Credit Control [creditcontrol@bwfllc.co] -- Chaps Payement -- Chaps Payment Copy.jar 2015-07-17 -- Kathryn Harriman [williamhui@bgf.com.hk] -- Re: New Order -- product list.jar 2015-07-25 -- Karianne Maltun [geral@eimigrante.pt] -- RE :Payment Preparation=0590-PI/Invoice -- payment_Order .jar 2015-07-27 -- Vivian Joe [noreply@googlemail.com] -- Purchasing order -- PURCHASING Order.jar 2015-07-29 -- NAB Customer Service [trusplus@sify.com] -- PAYMENT ADVICE -- PAYMENT SWIFT MT103 NAB BANK PDF.jar 2015-07-30 -- sales.qnijewels@gmail.com -- Fwd: Outstanding Invoices -- SOA AS OF JUly.jar 2015-07-30 -- Karianne Maltun [a.macesic@inspectorate-croatia.hr] -- Scanned DUC-Invoice -- Invoice.jar 2015-07-31 -- [Andrea@intl.westernunion.com] -- Wupos Update -- Wupos_update_0940002TT12212.jar 2015-07-31 -- [office@regcon-asia.kz] -- Find the swift copy for the balance payment !! -- payment.invoice.1.jar 2015-08-03 -- Juliet Helix [noreply@googlemail.com] -- Purchasing Order -- Purchasing Order..jar 2015-08-03 -- Wilborax Trading Company Ltd. [top@jviincentthailand.com] -- Re: PO 6785435 30-08-2015 -- PO 6785435 30-08-2015 PDF.jar 2015-08-06 -- Eduardo A. Iguina [info@al-rddadi.com.sa] -- Re: Payment Processed. -- PI-Invoice-0972-DUC.jar 2015-08-06 -- Sales!!! UST-TRADE Co,. Ltd [sales11@laurence-chocolate.gr] -- Re: Enquiry -- P.O_001_UST-TRADE.jar 2015-08-06 -- Lynnea Trade Co,. LTD [vinita.sharma@frrforex.in] -- Re: P.0 18003. -- P.O_18003.jar 2015-08-09 -- Eduardo A. Iguina [d.pavic@inspectorate-croatia.hr] -- Re: Payment Processed -- Invoice-Processed.jar 2015-08-09 -- KAZA EQUIPMENT LTD [private@premier-gps.com] -- PO#192603 -- Products List.jar , Purchase Order (PO).jar 2015-08-10 -- [info@fulplanet.com] -- Invoice order -- Invoice.jar 2015-08-10 -- DHL Customer Service [trusplus@sify.com] -- DHL SHIPMENT NO. 7032540771 of EXP -15016 -- DHL SHIPPING DOCUMENTS PDF.jar 2015-08-10 -- Ditana Amir Cohen [Elvgncl@gmail.com] -- Request Quotation for Listed Item -- Request Quotation Item.jar 2015-08-11 -- Florence Walton [fax@chartered.co.th] -- Winter Order to Brazil. -- Price Check.jar 2015-08-12 -- [info@fulplanet.com] -- Re: Invoices payable -- Invoice.jar 2015-08-12 -- [freya@byloth.nl] -- Re: Company Address And Bank Detail -- CDX30404.jar 2015-08-13 -- Sandy [private@premier-gps.com] -- PO#192603 -- PO#192603.jar Prior to that, I saw Adwind-based malware maybe once every month or two. I never paid much attention to it until I noticed the recent increase. Some screenshots are shown below: The malware I collected some samples during the past week and examined them. With the appropriate software packages installed, I could use the command *jar tf [filename]* to list the contents of the Java archive. Most (but not all) of the .jar files had this internal file structure: META-INF/MANIFEST.MF b.txt a.txt a/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class b/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class c/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class Main.class dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIiiiiiIiII.class dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIIiiIiiiII.class dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIiiiiIiIII.class dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIIIiIiIiIi.class Shown above: Listing some of the Adwind .jar files' contents *Command and control communications* Samples collected during the past week show the following TLS-encrypted SSL traffic after the infection: Read: host name - IP address - port p0.corotext.com - 91.236.116.185 - TCP port 588 pauloo1.corotext.com - 91.236.116.185 - TCP Port 8001 trusplus111.gotdns.ch - 197.255.170.191 - TCP port 10000 selkrom.ddns.net - 111.118.183.211 - TCP port 9887 serialcheck55.serveblog.net - 185.19.85.172 TCP port 1818 I examined a pcap from the last malware sample above, with command-and-control traffic on TCP port 1818. You can find the certificate associated with Adwind in Wireshark. First, follow a TCP stream with the traffic on port 1818. From the Wireshark menu, select: Analyze -> Decode As. In the window that pops up, select the Transport tab and scroll down to SSL, then apply. Wireshark will now parse this TCP stream as SSL. You can find the certificate information as shown in the image below: This still shows the same certificate information used since EmergingThreats tagged it in their snort signature from March 2015 [5]. I saw the same certificate information used last week [10], and it continues this week. commonName = assylias organizationName = assylias.Inc countryName = FR Currently, this may be the best way to identify Adwind-based post-infection traffic. Look for SSL traffic on a non-standard TCP port using that particular certificate. Malware samples Below, I've included information on examples for Adwind malware found during the past week: File name: *Invoice-Processed.jar* File size 96.5 KB ( 98,866 bytes ) MD5 hash: d93dd17a9adf84ca2839708d603d3bd6 SHA1 hash: ddca2db7b7ac42d8a4a23c2e8ed85de5e91dbf29 SHA256 hash: d5d3d46881d8061bb3679aee67715f38bebefb6251eb3fdfa4a58596db8f5b16 Detection ratio: 8 / 50 First submission: 2015-08-09 08:27:37 UTC Virus Total link - Malwr link - Hybrid-Analysis link Command and control: p0.corotext.com - 91.236.116.185 - TCP port 588 File name: *Products List.jar* File size: 99.0 KB ( 101,349 bytes ) MD5 hash: 201fd695feba07408569f608cd639465 SHA1 hash: b11857de46ba3365af5f46171bbe126f19483fee SHA256 hash: 0e198e6e1b9cfa5be0d9829e10717093487548b5c0d6fbbeaae6be1d53691098 Detection ratio: 8 / 56 First submission: 2015-08-10 19:42:56 UTC Virus Total link - Malwr link - Hybrid-Analysis link File name: *Purchase Order (PO).jar* File size: 99.0 KB ( 101,344 bytes ) MD5 hash: 78990750a764dce7a7a539fb797298a1 SHA1 hash: af35dc7c1e4a32d53fe41e2debc73a82cc1f52bd SHA256 hash: 9eeeb3b6be01ad321c5036e6c2c8c78244b016bf7900b6fd3251139149dae059 Detection ratio: 8 / 56 First submission: 2015-08-10 19:43:20 UTC Virus Total link - Malwr link - Hybrid-Analysis link File name: *Invoice.jar* File size: 96.6 KB ( 98,903 bytes ) MD5 hash: da9f9b69950a64527329887f8168f0b4 SHA1 hash: 752fab5861093e7171463b0b945e534e1ff66253 SHA256 hash: 70290f0ffffcb4f8d90bce59f16105fd5ff61866e3dda5545b122b3c4098051b Detection ratio: 10 / 56 First submission: 2015-08-10 06:40:09 UTC VirusTotal link - Malwr link - Hybrid-Analysis link Command and control: pauloo1.corotext.com - 91.236.116.185 - TCP Port 8001 File name: DHL SHIPPING DOCUMENTS PDF.jar File size: 99.0 KB ( 101,342 bytes ) MD5 hash: 1fb2b0742e448124c000c34912765634 SHA1 hash: 29d5d03dab95cd5d38bd691d5559202816d36417 SHA256 hash: ff2b35d58d2e1ade904187eeffba709c84a9a998c6323b22fc5b7cac74cd1293 Detection ratio: 25 / 56 First submission: 2015-08-10 10:12:16 UTC VirusTotal Link - Malwr link - Hybrid-Analysis link Command and control: trusplus111.gotdns.ch - 197.255.170.191 - TCP port 10000 File name: *Request Quotation Item.jar* File size: 99.0 KB ( 101,370 bytes ) MD5 hash: e08b81fd1b1b409096e65011e96ac62b SHA1 hash: 0fa5ce77ba5df13c596824681402c3ece7b5c1e8 SHA256 hash: 771bb9fe6db1453e3de20ba7c39b8502c1249c6fcfd0022031ab767636136e7a Detection ratio: 26 / 56 First submission: 2015-08-10 19:09:04 UTC VirusTotal link - Malwr link - Hybrid-Analysis link Command and control: selkrom.ddns.net - 111.118.183.211 - TCP port 9887 File name: *Price Check.jar* File size: 99.0 KB ( 101,359 bytes ) MD5 hash: 5190bde4532248eb133f4dae044c492a SHA1 hash: 54484c3a466fb8efb982520a714045d218c83dcf SHA256 hash: d54e97bc1204f3674572d60e17db04c11bbe018ba9ab0250bd881cbcc5a9622e Detection ratio: 25 / 56 First submission: 2015-08-11 15:57:22 UTC VirusTotal link - Malwr link - Hybrid-Analysis link File name: *Invoice.jar* File size: 93.2 KB ( 95,455 bytes ) MD5 hash: 0df04436cce61f791ec7da24ab34d71b SHA1 hash: 75fa848e0048e040aed231f9db45b14bf1a903d7 SHA256 hash: f2188d223305092fe0a9c8be89c69e149c33c3ea4b1c0843fda00771ac72272d Detection ratio: 10 / 55 First submission: 2015-08-12 19:53:46 UTC VirusTotal link - Malwr link - Hybrid-Analysis link File name: CDX30404.jar File size: 100.6 KB ( 102,970 bytes ) MD5 hash: 5ab9653be58e63bf8df7fb9bd74fa636 SHA1 hash: 3af9157dffde41f673cdacc295f2887b5c56e357 SHA256 hash: f8f99b405c932adb0f8eb147233bfef1cf3547988be4d27efd1d6b05a8817d46 Detection ratio: 22 / 49 First submission: 2015-08-09 20:57:26 UTC VirusTotal link - Malwr link - Hybrid-Analysis link Command and control: serialcheck55.serveblog.net - 185.19.85.172 TCP port 1818 File name: *PO#192603.jar* File size: 95.6 KB ( 97,918 bytes ) MD5 hash: c5cdbf91ebd4bab736504415806a96b7 SHA1 hash: ceb29d24f0dc96d867c9a99306d155a31c5eb807 SHA256 hash: 48a0859478fb2b659e527ed06abf44ef40d84c37a5117d49ca2312feed1b1b7d Detection ratio: 13 / 56 First submission: 2015-08-13 17:21:33 UTC VirusTotal link - Malwr link - Hybrid-Analysis link Final words I collected some emails from the past few days, sanitized them, and saved them to a zip archive. That archive is available at: http://malware-traffic-analysis.net/2015/08/14/2015-08-14-ISC-diary-Adwind-examples.zip The zip archive is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. This malspam might all be from the same botnet, but I haven't had time to dig through the malware samples to confirm. Furthermore, my view is limited to whatever I collect from the spam filters at my current employer. I suspect other organizations with access to more data have better insight. If any of you have encountered examples of this malspam, feel free to share in the comments. --- Brad Duncan Security Researcher at Rackspace Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic References: [1] http://blog.crowdstrike.com/adwind-rat-rebranding/ [2] http://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door [3] https://www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99 [4] http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf [5] http://doc.emergingthreats.net/bin/view/Main/2020728 [6] http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf [7] http://www.threatgeek.com/2015/04/tango-down-alienspy-is-offline-as-of-this-morning.html [8] https://jsocket.org/blog/new-project/ [9] https://www.rekings.com/product-tag/jsocket-v1-0/ [10] http://malware-traffic-analysis.net/2015/08/06/index.html	Brad 353 Posts ISC Handler
Subscribe	Aug 18th 2015 4 years ago
\| To infect a Windows computer, the user has to execute the \| malware by double-clicking on the .jar file. Really? Standard installations of Windows dont have an association for .JAR files!	Anonymous
Quote	Aug 14th 2015 4 years ago
Good point! You have to have Java Runtime Environment installed. Forgot to mention that in the article. I'll fix that. But otherwise it works that way, at least for what I've seen.	Brad 353 Posts ISC Handler
Quote	Aug 14th 2015 4 years ago
IFF you really need to have a Java Runtime Environment installed: do you ALSO really need to have your users run arbitrary .JAR files? If not then (consider to) enable Software Restriction Policies a.k.a. SAFER to deny execution in %USERPROFILE% and add .JAR as "executable" extension, or restrict the JRE to run only (properly) signed .JAR files.	Anonymous
Quote	Aug 15th 2015 4 years ago
All of the ones we have seen recently will not work under Java 1.8 but do reliably work under Java 1.6 and 1.7 Running it on a test machine using Java 1.8 gives a pop up warning saying 1.8 found, needs 1.7 Provided a user has the latest Version of Java installed the current risk form these is vastly lessened. We have been seeing these create an Image File Execution Options to block most common anti-virus products form running	DVK01 21 Posts
Quote	Aug 19th 2015 4 years ago

Updated 2015-08-18 to include information on AlienSpy transitioning to JSocket v1.0.

Introduction

Since mid-July 2015, I've noticed an increase in malicious spam (malspam) caught by my employer's spam filters with java archive (.jar file) attachments. These .jar files are most often identified as Adwind. Adwind is a Java-based remote access tool (RAT) used by malware authors to infect computers with backdoor access. There's no vulnerability involved. To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file. Of course, you have to have the Java Runtime Environment installed, which many people do.

I previously associated Adwind with targeted phishing attempts in limited amounts. I had found very few examples of non-targeted malspam using this RAT.

However, we're currently seeing enough Adwind-based malspam to ask: Is Adwind now another payload for botnet-based malspam?

Background

Adwind originated from the Frutas RAT [1]. Frutas was a Java-based RAT discovered by Symantec from underground forums in early 2013 [2]. By the summer of 2013, the name had changed to Adwind, and signatures for Adwind-based malware were implemented by anti-virus companies [3]. In November of 2013, Adwind was rebranded and sold under a new name: UNRECOM (UNiversal REmote COntrol Multi-platform) [1].

Throughout 2013, we noticed a few occasions of Adwind used in phishing attempts. 2014 saw an increase of Adwind/UNRECOM malware used in phishing campaigns targeting "U.S. state and local government, technology, advisory services, health, and financial sectors" [4].

By April 2015, a new Adwind/UNCRECOM variant called AlienSpy was widely reported, and this new variant included Transport Layer Security (TLS) encryption for command-and-control communications. These TLS communications involve certificates. EmergingThreats posted a signature for Adwind-based certificates in March of 2015 [5], and Fidelis CyberSecurity Solutions published an in-depth report on AlienSpy the following month [6].

Recent updates

2015-04-10: AlienSpy domain suspended by Godaddy shortly after a report on this RAT was published by Fidelis [7].
2015-04-19: JSocket.org registered through eNom.
2015-06-23: JSocket.org's first blog entry stating the project started on 2015-06-23 [8].
2015-07-10: Another entry (now removed) states AlienSpy would stop on 2015-07-11, telling AlienSpy users to update to JSocket.
As recently as 2015-08-18, a site called Rekings currently shows its AlienSpy entry tagged as JSocket v1.0 [9].

Shown above: Blog entry showing AlienSpy transitioned to JSocket on 2015-07-11.

Shown above: At least one reseller has tagged AlienSpy as JSocket v1.0.

The naming progression appears to be: Frutas -> Adwind -> UNRECOM -> AlienSpy -> JSocket. From what I can tell, it's all been Java-based malware sent as .jar file attachments in phishing emails. Many people still refer to it as Adwind, which is how I see it identified most often.

Not counting targeted attempts, I've found Adwind-based malspam maybe once every month or two. That changed in mid-July 2015. After that, the amount of malspam with Adwind increased dramatically. Currently, I see at least one Adwind-based malspam every day on average. The frequency of this malspam along with the variety of subject lines, attachment names, and senders indicate Adwind is no longer limited to targeted attacks. Frutas/Adwind/UNRECOM/AlienSpy/JSocket (whatever you want to call it) appears to be another payload for botnet-based malspam.

The emails

Here's a sample of the different senders, subjects, and attachment names I've seen for Adwind-based malspam since mid-July 2015:

Read: Date -- Sender (most often spoofed) -- Subject -- Attachment name(s)

2015-07-14 -- Credit Control [creditcontrol@bwfllc.co] -- Chaps Payement -- Chaps Payment Copy.jar
2015-07-17 -- Kathryn Harriman [williamhui@bgf.com.hk] -- Re: New Order -- product list.jar
2015-07-25 -- Karianne Maltun [geral@eimigrante.pt] -- RE :Payment Preparation=0590-PI/Invoice -- payment_Order .jar
2015-07-27 -- Vivian Joe [noreply@googlemail.com] -- Purchasing order -- PURCHASING Order.jar
2015-07-29 -- NAB Customer Service [trusplus@sify.com] -- PAYMENT ADVICE -- PAYMENT SWIFT MT103 NAB BANK PDF.jar
2015-07-30 -- sales.qnijewels@gmail.com -- Fwd: Outstanding Invoices -- SOA AS OF JUly.jar
2015-07-30 -- Karianne Maltun [a.macesic@inspectorate-croatia.hr] -- Scanned DUC-Invoice -- Invoice.jar
2015-07-31 -- [Andrea@intl.westernunion.com] -- Wupos Update -- Wupos_update_0940002TT12212.jar
2015-07-31 -- [office@regcon-asia.kz] -- Find the swift copy for the balance payment !! -- payment.invoice.1.jar
2015-08-03 -- Juliet Helix [noreply@googlemail.com] -- Purchasing Order -- Purchasing Order..jar
2015-08-03 -- Wilborax Trading Company Ltd. [top@jviincentthailand.com] -- Re: PO 6785435 30-08-2015 -- PO 6785435 30-08-2015 PDF.jar
2015-08-06 -- Eduardo A. Iguina [info@al-rddadi.com.sa] -- Re: Payment Processed. -- PI-Invoice-0972-DUC.jar
2015-08-06 -- Sales!!! UST-TRADE Co,. Ltd [sales11@laurence-chocolate.gr] -- Re: Enquiry -- P.O_001_UST-TRADE.jar
2015-08-06 -- Lynnea Trade Co,. LTD [vinita.sharma@frrforex.in] -- Re: P.0 18003. -- P.O_18003.jar
2015-08-09 -- Eduardo A. Iguina [d.pavic@inspectorate-croatia.hr] -- Re: Payment Processed -- Invoice-Processed.jar
2015-08-09 -- KAZA EQUIPMENT LTD [private@premier-gps.com] -- PO#192603 -- Products List.jar , Purchase Order (PO).jar
2015-08-10 -- [info@fulplanet.com] -- Invoice order -- Invoice.jar
2015-08-10 -- DHL Customer Service [trusplus@sify.com] -- DHL SHIPMENT NO. 7032540771 of EXP -15016 -- DHL SHIPPING DOCUMENTS PDF.jar
2015-08-10 -- Ditana Amir Cohen [Elvgncl@gmail.com] -- Request Quotation for Listed Item -- Request Quotation Item.jar
2015-08-11 -- Florence Walton [fax@chartered.co.th] -- Winter Order to Brazil. -- Price Check.jar
2015-08-12 -- [info@fulplanet.com] -- Re: Invoices payable -- Invoice.jar
2015-08-12 -- [freya@byloth.nl] -- Re: Company Address And Bank Detail -- CDX30404.jar
2015-08-13 -- Sandy [private@premier-gps.com] -- PO#192603 -- PO#192603.jar

Prior to that, I saw Adwind-based malware maybe once every month or two. I never paid much attention to it until I noticed the recent increase. Some screenshots are shown below:

The malware

I collected some samples during the past week and examined them. With the appropriate software packages installed, I could use the command jar tf [filename] to list the contents of the Java archive. Most (but not all) of the .jar files had this internal file structure:

META-INF/MANIFEST.MF
b.txt
a.txt
a/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class
b/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class
c/dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class
dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwiiIiiIIIii.class
Main.class
dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIiiiiiIiII.class
dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIIiiIiiiII.class
dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIiiiiIiIII.class
dewmhGAv5r0QGW5ll9yAZViufg7Kw96lY5dWkbn4Eq8ZBiNW8azEnBVN7TqbhwMvgiKJW1D3lw9muhhJ2jxGQYjlwIIIiIiIiIi.class

Shown above: Listing some of the Adwind .jar files' contents

Command and control communications

Samples collected during the past week show the following TLS-encrypted SSL traffic after the infection:

Read: host name - IP address - port

p0.corotext.com - 91.236.116.185 - TCP port 588
pauloo1.corotext.com - 91.236.116.185 - TCP Port 8001
trusplus111.gotdns.ch - 197.255.170.191 - TCP port 10000
selkrom.ddns.net - 111.118.183.211 - TCP port 9887
serialcheck55.serveblog.net - 185.19.85.172 TCP port 1818

I examined a pcap from the last malware sample above, with command-and-control traffic on TCP port 1818. You can find the certificate associated with Adwind in Wireshark. First, follow a TCP stream with the traffic on port 1818. From the Wireshark menu, select: Analyze -> Decode As.

In the window that pops up, select the Transport tab and scroll down to SSL, then apply.

Wireshark will now parse this TCP stream as SSL. You can find the certificate information as shown in the image below:

This still shows the same certificate information used since EmergingThreats tagged it in their snort signature from March 2015 [5]. I saw the same certificate information used last week [10], and it continues this week.

commonName = assylias
organizationName = assylias.Inc
countryName = FR

Currently, this may be the best way to identify Adwind-based post-infection traffic. Look for SSL traffic on a non-standard TCP port using that particular certificate.

Malware samples

Below, I've included information on examples for Adwind malware found during the past week:

File name: Invoice-Processed.jar

File size 96.5 KB ( 98,866 bytes )
MD5 hash: d93dd17a9adf84ca2839708d603d3bd6
SHA1 hash: ddca2db7b7ac42d8a4a23c2e8ed85de5e91dbf29
SHA256 hash: d5d3d46881d8061bb3679aee67715f38bebefb6251eb3fdfa4a58596db8f5b16
Detection ratio: 8 / 50
First submission: 2015-08-09 08:27:37 UTC
Virus Total link - Malwr link - Hybrid-Analysis link
Command and control: p0.corotext.com - 91.236.116.185 - TCP port 588

File name: Products List.jar

File size: 99.0 KB ( 101,349 bytes )
MD5 hash: 201fd695feba07408569f608cd639465
SHA1 hash: b11857de46ba3365af5f46171bbe126f19483fee
SHA256 hash: 0e198e6e1b9cfa5be0d9829e10717093487548b5c0d6fbbeaae6be1d53691098
Detection ratio: 8 / 56
First submission: 2015-08-10 19:42:56 UTC
Virus Total link - Malwr link - Hybrid-Analysis link

File name: Purchase Order (PO).jar

File size: 99.0 KB ( 101,344 bytes )
MD5 hash: 78990750a764dce7a7a539fb797298a1
SHA1 hash: af35dc7c1e4a32d53fe41e2debc73a82cc1f52bd
SHA256 hash: 9eeeb3b6be01ad321c5036e6c2c8c78244b016bf7900b6fd3251139149dae059
Detection ratio: 8 / 56
First submission: 2015-08-10 19:43:20 UTC
Virus Total link - Malwr link - Hybrid-Analysis link

File name: Invoice.jar

File size: 96.6 KB ( 98,903 bytes )
MD5 hash: da9f9b69950a64527329887f8168f0b4
SHA1 hash: 752fab5861093e7171463b0b945e534e1ff66253
SHA256 hash: 70290f0ffffcb4f8d90bce59f16105fd5ff61866e3dda5545b122b3c4098051b
Detection ratio: 10 / 56
First submission: 2015-08-10 06:40:09 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link
Command and control: pauloo1.corotext.com - 91.236.116.185 - TCP Port 8001

File name: DHL SHIPPING DOCUMENTS PDF.jar

File size: 99.0 KB ( 101,342 bytes )
MD5 hash: 1fb2b0742e448124c000c34912765634
SHA1 hash: 29d5d03dab95cd5d38bd691d5559202816d36417
SHA256 hash: ff2b35d58d2e1ade904187eeffba709c84a9a998c6323b22fc5b7cac74cd1293
Detection ratio: 25 / 56
First submission: 2015-08-10 10:12:16 UTC
VirusTotal Link - Malwr link - Hybrid-Analysis link
Command and control: trusplus111.gotdns.ch - 197.255.170.191 - TCP port 10000

File name: Request Quotation Item.jar

File size: 99.0 KB ( 101,370 bytes )
MD5 hash: e08b81fd1b1b409096e65011e96ac62b
SHA1 hash: 0fa5ce77ba5df13c596824681402c3ece7b5c1e8
SHA256 hash: 771bb9fe6db1453e3de20ba7c39b8502c1249c6fcfd0022031ab767636136e7a
Detection ratio: 26 / 56
First submission: 2015-08-10 19:09:04 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link
Command and control: selkrom.ddns.net - 111.118.183.211 - TCP port 9887

File name: Price Check.jar

File size: 99.0 KB ( 101,359 bytes )
MD5 hash: 5190bde4532248eb133f4dae044c492a
SHA1 hash: 54484c3a466fb8efb982520a714045d218c83dcf
SHA256 hash: d54e97bc1204f3674572d60e17db04c11bbe018ba9ab0250bd881cbcc5a9622e
Detection ratio: 25 / 56
First submission: 2015-08-11 15:57:22 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link

File name: Invoice.jar

File size: 93.2 KB ( 95,455 bytes )
MD5 hash: 0df04436cce61f791ec7da24ab34d71b
SHA1 hash: 75fa848e0048e040aed231f9db45b14bf1a903d7
SHA256 hash: f2188d223305092fe0a9c8be89c69e149c33c3ea4b1c0843fda00771ac72272d
Detection ratio: 10 / 55
First submission: 2015-08-12 19:53:46 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link

File name: CDX30404.jar

File size: 100.6 KB ( 102,970 bytes )
MD5 hash: 5ab9653be58e63bf8df7fb9bd74fa636
SHA1 hash: 3af9157dffde41f673cdacc295f2887b5c56e357
SHA256 hash: f8f99b405c932adb0f8eb147233bfef1cf3547988be4d27efd1d6b05a8817d46
Detection ratio: 22 / 49
First submission: 2015-08-09 20:57:26 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link
Command and control: serialcheck55.serveblog.net - 185.19.85.172 TCP port 1818

File name: PO#192603.jar

File size: 95.6 KB ( 97,918 bytes )
MD5 hash: c5cdbf91ebd4bab736504415806a96b7
SHA1 hash: ceb29d24f0dc96d867c9a99306d155a31c5eb807
SHA256 hash: 48a0859478fb2b659e527ed06abf44ef40d84c37a5117d49ca2312feed1b1b7d
Detection ratio: 13 / 56
First submission: 2015-08-13 17:21:33 UTC
VirusTotal link - Malwr link - Hybrid-Analysis link

Final words

I collected some emails from the past few days, sanitized them, and saved them to a zip archive. That archive is available at:

http://malware-traffic-analysis.net/2015/08/14/2015-08-14-ISC-diary-Adwind-examples.zip

The zip archive is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask.

This malspam might all be from the same botnet, but I haven't had time to dig through the malware samples to confirm. Furthermore, my view is limited to whatever I collect from the spam filters at my current employer. I suspect other organizations with access to more data have better insight.

If any of you have encountered examples of this malspam, feel free to share in the comments.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://blog.crowdstrike.com/adwind-rat-rebranding/
[2] http://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door
[3] https://www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99
[4] http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf
[5] http://doc.emergingthreats.net/bin/view/Main/2020728
[6] http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
[7] http://www.threatgeek.com/2015/04/tango-down-alienspy-is-offline-as-of-this-morning.html
[8] https://jsocket.org/blog/new-project/
[9] https://www.rekings.com/product-tag/jsocket-v1-0/
[10] http://malware-traffic-analysis.net/2015/08/06/index.html

Brad

353 Posts
ISC Handler

| To infect a Windows computer, the user has to execute the
| malware by double-clicking on the .jar file.

Really?
Standard installations of Windows dont have an association for .JAR files!

Anonymous

Good point! You have to have Java Runtime Environment installed. Forgot to mention that in the article. I'll fix that. But otherwise it works that way, at least for what I've seen.

Brad

353 Posts
ISC Handler

IFF you really need to have a Java Runtime Environment installed: do you ALSO really need to have your users run arbitrary .JAR files?

If not then (consider to) enable Software Restriction Policies a.k.a. SAFER to deny execution in %USERPROFILE% and add .JAR as "executable" extension, or restrict the JRE to run only (properly) signed .JAR files.

Anonymous

All of the ones we have seen recently will not work under Java 1.8 but do reliably work under Java 1.6 and 1.7
Running it on a test machine using Java 1.8 gives a pop up warning saying 1.8 found, needs 1.7
Provided a user has the latest Version of Java installed the current risk form these is vastly lessened.
We have been seeing these create an Image File Execution Options to block most common anti-virus products form running

DVK01

21 Posts