Java-based Trojan was used to attack over 400,000 systems
The Adwind/AlienSpy RAT is back in action as the JSocket malware-as-a-service platform
A cross-platform remote access Trojan that’s being openly sold as a service to all types of attackers, from opportunistic cybercriminals to cyberespionage groups, has been used to attack more than 400,000 systems over the past three years.
The RAT (Remote Access Tool/Trojan), which depending on the variant is known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or JSocket, is evidence of how successful the malware-as-a-service model can be for malware creators.
Adwind is written in Java, so it can run on any OS that has a Java runtime installed including Windows, Mac OS X, Linux and Android. The Trojan has been continuously developed since at least 2012 and is being sold out in the open via a public website.
Like most Trojans, Adwind can be used to remotely control infected computers; to steal files, key strokes and saved passwords; to record audio and video through the computer’s webcam and microphone and more. Because it has a modular architecture, users can also install plug-ins that extend its functionality.
The Adwind author, who researchers from Kaspersky Lab believe to be a Spanish-speaking individual, is selling access to the RAT on a subscription-based model, with prices ranging from $25 for 15 days to $300 a year. The buyers get technical support, obfuscation services to evade antivirus detection, virtual private network accounts and free scans with multiple antivirus engines to ensure that their sample is not detected when deployed.
Kaspersky Lab estimates that since 2013, attackers have attempted to infect over 440,000 systems with various versions of Adwind. Between August and January alone, attackers used the RAT in around 200 spear-phishing campaigns that have reached over 68,000 users.
The latest incarnation of Adwind was launched in June 2015 under the name JSocket and is still being sold.
“In 2015, Russia was the most attacked country, with UAE and Turkey again near the top, along with the USA, Turkey and Germany,” the Kaspersky researchers said in a blog post.
They estimated that by the end of 2015 there were around 1,800 Adwind/JSocket users, putting the developer’s annual revenue at over $200,000. The large number of users makes it hard to build an attacker profile. The RAT could be used by anyone from low-level scammers to cyberspies and private individuals looking to monitor their partners or spouses.
In December, researchers working with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs documented the activities of a group of attackers that targeted politicians, journalists and public figures from several South American countries. An earlier version of Adwind, called AlienSpy, was listed as one of the malware tools used by the group.
Kaspersky Lab itself started a detailed investigation into Adwind after a financial institution in Singapore received the RAT via rogue emails that were purporting to come from a major Malaysian bank. This was part of a targeted attack that the company believes was launched by a suspect of Nigerian origin who focuses on financial institutions.
“Despite several attempts to take down and stop the Adwind developers from distributing the malware, Adwind has survived for years and has been through rebranding and operational expansion that ranged from the provision of additional plugins for the malware to its own obfuscation tool and a even a warranty for FUD (fully undetected malware) to customers,” the Kaspersky researchers said in a research paper.
Since Adwind is written in Java, it is distributed as a JAR (Java Archive) file and needs the Java Runtime Environment (JRE) to run. One possible method to prevent its installation is to change the default application for handling JAR files to something like Notepad. This will prevent the code’s execution and will just result in a notepad window with gibberish text in it.
Of course, if JRE is not needed by other applications installed on a computer or by websites visited by its users, then it should be removed. Unfortunately that’s not possible in most business environments, as Java is still a major programming language for business applications.