Menu
Java-based Trojan was used to attack over 400,000 systems

Java-based Trojan was used to attack over 400,000 systems

The Adwind/AlienSpy RAT is back in action as the JSocket malware-as-a-service platform

A cross-platform remote access Trojan that's being openly sold as a service to all types of attackers, from opportunistic cybercriminals to cyberespionage groups, has been used to attack more than 400,000 systems over the past three years.

The RAT (Remote Access Tool/Trojan), which depending on the variant is known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or JSocket, is evidence of how successful the malware-as-a-service model can be for malware creators.

Adwind is written in Java, so it can run on any OS that has a Java runtime installed including Windows, Mac OS X, Linux and Android. The Trojan has been continuously developed since at least 2012 and is being sold out in the open via a public website.

Like most Trojans, Adwind can be used to remotely control infected computers; to steal files, key strokes and saved passwords; to record audio and video through the computer's webcam and microphone and more. Because it has a modular architecture, users can also install plug-ins that extend its functionality.

The Adwind author, who researchers from Kaspersky Lab believe to be a Spanish-speaking individual, is selling access to the RAT on a subscription-based model, with prices ranging from $25 for 15 days to $300 a year. The buyers get technical support, obfuscation services to evade antivirus detection, virtual private network accounts and free scans with multiple antivirus engines to ensure that their sample is not detected when deployed.

Kaspersky Lab estimates that since 2013, attackers have attempted to infect over 440,000 systems with various versions of Adwind. Between August and January alone, attackers used the RAT in around 200 spear-phishing campaigns that have reached over 68,000 users.

The latest incarnation of Adwind was launched in June 2015 under the name JSocket and is still being sold.

"In 2015, Russia was the most attacked country, with UAE and Turkey again near the top, along with the USA, Turkey and Germany," the Kaspersky researchers said in a blog post.

They estimated that by the end of 2015 there were around 1,800 Adwind/JSocket users, putting the developer's annual revenue at over $200,000. The large number of users makes it hard to build an attacker profile. The RAT could be used by anyone from low-level scammers to cyberspies and private individuals looking to monitor their partners or spouses.

In December, researchers working with the Citizen Lab at the University of Toronto's Munk School of Global Affairs documented the activities of a group of attackers that targeted politicians, journalists and public figures from several South American countries. An earlier version of Adwind, called AlienSpy, was listed as one of the malware tools used by the group.

Kaspersky Lab itself started a detailed investigation into Adwind after a financial institution in Singapore received the RAT via rogue emails that were purporting to come from a major Malaysian bank. This was part of a targeted attack that the company believes was launched by a suspect of Nigerian origin who focuses on financial institutions.

"Despite several attempts to take down and stop the Adwind developers from distributing the malware, Adwind has survived for years and has been through rebranding and operational expansion that ranged from the provision of additional plugins for the malware to its own obfuscation tool and a even a warranty for FUD (fully undetected malware) to customers," the Kaspersky researchers said in a research paper.

Since Adwind is written in Java, it is distributed as a JAR (Java Archive) file and needs the Java Runtime Environment (JRE) to run. One possible method to prevent its installation is to change the default application for handling JAR files to something like Notepad. This will prevent the code's execution and will just result in a notepad window with gibberish text in it.

Of course, if JRE is not needed by other applications installed on a computer or by websites visited by its users, then it should be removed. Unfortunately that's not possible in most business environments, as Java is still a major programming language for business applications.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments