Adwind RAT (Remote Access Trojan) is a cross-platform, multifunctional remote access program which is distributed through a single malware-as-a-service platform. One of the main features that distinguish the Adwind RAT from other commercial malware is its distribution openly in the form of a paid service, where the “customer” pays a fee for using the malicious program. The aliases for Adwind RAT include: Adwind, Alien Spy, JConnectPro, JBifrost, JSocket, UnknownRat & UnReCoM.
Language Used: Java / JDK 1.6x/1.7x / Swing
Code base: Frutas Rat (2012-2013)
Target OS: Windows, Linux, Mac OS, Android
After 2012, throughout the subsequent rebranding, Adwind maintained control, and the aliases were sold separately, as products although they all share the same code base, that of jFrutas / Frutas RAT. This particular RAT played a significant role in attack campaigns against banks, and one of its variants was implicated in Alberto Nisman’s murder.
Anti-VMWare/Virtual Box Code
Although malware can be camouflaged in a variety of ways, testing for the presence of virtual environments reduces the possibility that it will get executed and thereby get detected. Adwind has a good illustration of this evasive behavior using byte code, before engaging in any malicious activity, Adwind code checks the system to see if it is running in a Virtual Box or VMware virtual machine.
Code hints at a Spanish author
Class names, variables, function names declared and used in Java are from Spanish language, Example; Archivo, conectado, herramientas, nombre etcetra.
Translation: Nombre – Number, Archivo – Archive, Herramientas – Tools
Adwind RAT infects the victim’s machine by initial infection vectors of spam campaign with attachment (EML), and a suspicious URL to download the malware. The attachment is a MS Word document (.DOCX). The threat actor can trick the user to click on the blurred image to view the document’s content. Once the user opens the .img content, using embedded doc to drop the .JAR file in the %temp% folder to start infecting and perform threat actor’s action on objective.
Category: Remote Access Tool / Spyware
Threat Name: Adwind RAT
Technical Analysis of DOCX
Snap 1: Attachment document of [.docx]
Once the user opens the attachment file, we can see there’s a blurred image, resembles some MS Excel work. What do we usually get? Click the enable content/enable editing to view the actual content of the image. Now, the document displays a blurred image embedded in the .JAR file.
Snap 2: Generation of .JAR file
Once the user clicks on the blurred image, then a pop-up will be generated, it loads the JAR file and requests the user’s permission to open. If you run the malware manually, it will infect your system and even crash it when permissible.
Snap 3: .JAR properties
JAR files are .zip files that contain a compressed version of .class files, audio files, image files, or directories. The main advantage of JAR files such as lossless data compression, archiving, decompression, and archive unpacking. Not to mention, JAR files (Java code) can be run on any platform, code once and infect multiple operating systems.
Snap 4: Structure of MS Word [DOCX] document
DOCX files store data in Open XML Document format, which was introduced by Microsoft from MS Word 2007. It replaced the .DOC file format as the standard format for saving documents in MS Word. Unlike DOC files, which store document data in a single binary file, DOCX files save data as separate files and folders in a compressed ZIP package. Within a DOCX file are XML files and three folders: Word, docProps, and _rels, which store the content, document properties, and relationships between the files. The Open XML format is designed to make document content more open and accessible.
For example, document text is saved in plain text files, and document images are stored as individual image files, such as .JPG or .PNG, within the DOCX file. The included files may also contain page formatting information, authorship data, and document review notes.
Snap 5: Embedded DOC file
DOC files are created to save various documents, including letters, resumes, essays, and invitations. When we create a document in MS Word, we can then choose to save it in either the DOC, or DOCX file format. Adwind JAR then creates a DOC file to store the document’s contents, which can be closed and opened again for further editing. When you are done editing your DOC file you can print it or save it as another file, such as .PDF document or .DOT (template) document.
Snap 6: Embedded OLE_native files
Snap 7: Dropped .JAR in %temp%
After the completion of step 2 once the user accepts & opens the document content. Then, the .JAR file will be dropped in the %temp% folder.
Snap 8: Structure of .JAR file
JAR file is a Java archive (JAR) file used by the Java Runtime Environment (JRE), a framework used for executing Java programs. JAR files may serve as program libraries or as standalone programs that run if the JRE is installed on the computer or mobile device. After 2015-2016, a lot of the cracked versions of Adwind malware being circulated are used by hundreds of threat actors, which means that there are multiple hundreds of command-and-control servers. Some of them are down, some are up, the others are turned on as required by the threat actors.
Once infected, the following process/functions are carried out by Adwind RAT,
- Collecting information about the compromised host.
- Creating scheduled tasks (privilege escalation and persistence).
- Credentials harvesting.
- Taking screenshots, pictures, and recording video & sound from a microphone/webcam.
- Credential dumping (.exe access).
- Password stealing (from browser history and cookies).
- Steal VPN certificates.
- Targeting web banking links (web injects).
- Stealing keys of cryptocurrency wallets.
- Password brute forcing.
- Process injection to conceal the malicious actions.
MITRE ATT&CK Mapping for jRAT / Adwind RAT
|T1123||Audio Capture||jRAT can capture microphone recordings.|
|T1037||Boot or Logon Initialization Scripts: Startup Items||jRAT can list and manage startup entries.|
|T1115||Clipboard Data||jRAT can capture clipboard data.|
|T1059||Command and Scripting Interpreter: Windows Command Shell||jRAT has command line access.|
|Command and Scripting Interpreter: Visual Basic||jRAT has been distributed as HTA files with VBScript.|
|T1555||Credentials from Password Stores: Credentials from Web Browsers||jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.|
|T1083||File and Directory Discovery||jRAT can browse file systems.|
|T1070||Indicator Removal: File Deletion||jRAT has a function to delete files from the victim’s machine.|
|T1105||Ingress Tool Transfer||jRAT can download and execute files.|
|T1056||Input Capture: Keylogging||jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.|
|T1027||Obfuscated Files or Information||jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.|
|Software Packing||jRAT payloads have been packed.|
|T1120||Peripheral Device Discovery||jRAT can map UPnP ports.|
|T1057||Process Discovery||jRAT can query and kill system processes.|
|T1090||Proxy||jRAT can serve as a SOCKS proxy server.|
|T1021||Remote Services: Remote Desktop Protocol||jRAT can support RDP control.|
|T1029||Scheduled Transfer||jRAT can be configured to reconnect at certain intervals.|
|T1113||Screen Capture||jRAT has the capability to take screenshots of the victim’s machine.|
|T1518||Software Discovery: Security Software Discovery||jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.|
|T1082||System Information Discovery||jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.|
|T1016||System Network Configuration Discovery||jRAT can gather victim internal and external IPs.|
|T1049||System Network Connections Discovery||jRAT can list network connections.|
|T1007||System Service Discovery||jRAT can list local services.|
|T1552||Unsecured Credentials: Credentials In Files||jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.|
|Unsecured Credentials: Private Keys||jRAT can steal keys for VPNs and cryptocurrency wallets.|
|T1125||Video Capture||jRAT has the capability to capture video from a webcam.|
|T1047||Windows Management Instrumentation||jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.|
Indicator of Compromise
IP Address / Domains
URLs Hosting the JAR files