SYMBOLCOMMON_NAMEaka. SYNONYMS
jar.adwind (Back to overview)

AdWind

aka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat
URLhaus              

Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates

Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware

Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding
Uses attrib.exe

Notes on Adwind
The malware is not known to be proxy aware

References
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-28Security-in-BitsSecurity-in-Bits
@online{securityinbits:20200628:interesting:f625fa2, author = {Security-in-Bits}, title = {{Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI}}, date = {2020-06-28}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/}, language = {English}, urldate = {2020-06-29} } Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI
AdWind Ratty
2020-04-29ZscalerSudeep Singh
@online{singh:20200429:compromised:79b3a7d, author = {Sudeep Singh}, title = {{Compromised Wordpress sites used to distribute Adwind RAT}}, date = {2020-04-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat}, language = {English}, urldate = {2020-06-08} } Compromised Wordpress sites used to distribute Adwind RAT
AdWind
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2018-09-24Cisco TalosPaul Rascagnères, Vitor Ventura, Tomislav Pericin, Robert Perica
@online{rascagnres:20180924:adwind:9b737eb, author = {Paul Rascagnères and Vitor Ventura and Tomislav Pericin and Robert Perica}, title = {{Adwind Dodges AV via DDE}}, date = {2018-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html}, language = {English}, urldate = {2020-01-06} } Adwind Dodges AV via DDE
AdWind
2018-08-20Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20180820:interesting:14ea764, author = {Marco Ramilli}, title = {{Interesting hidden threat since years ?}}, date = {2018-08-20}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/}, language = {English}, urldate = {2019-12-23} } Interesting hidden threat since years ?
AdWind
2018-03-12Github (herrcore)Sergei Frankoff
@online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } Python decryptor for newer AdWind config file
AdWind
2018-02-16FortinetXiaopeng Zhang
@online{zhang:20180216:new:2b24e6b, author = {Xiaopeng Zhang}, title = {{New jRAT/Adwind Variant Being Spread With Package Delivery Scam}}, date = {2018-02-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html}, language = {English}, urldate = {2020-01-06} } New jRAT/Adwind Variant Being Spread With Package Delivery Scam
AdWind
2017-10-03SeqritePavankumar Chaudhari
@online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } Evolution of jRAT JAVA Malware
AdWind
2017-07-11Trend MicroRubio Wu, Marshall Chen
@online{wu:20170711:spam:87ce008, author = {Rubio Wu and Marshall Chen}, title = {{Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind}}, date = {2017-07-11}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat}, language = {English}, urldate = {2020-01-06} } Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind
AdWind
2017-07-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } MALSPAM WITH JAVA-BASED RAT
AdWind
2015-12-08The CitizenlabJohn Scott-Railton, Morgan Marquis-Boire, Claudio Guarnieri, Marion Marschalek
@online{scottrailton:20151208:packrat:5f9bffa, author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek}, title = {{Packrat: Seven Years of a South American Threat Actor}}, date = {2015-12-08}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2015/12/packrat-report/}, language = {English}, urldate = {2020-05-18} } Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat
Yara Rules
[TLP:WHITE] jar_adwind_w0 (20170803 | Adwind RAT)
rule jar_adwind_w0 {
    meta:
        author = "Asaf Aprozper, asafa AT minerva-labs.com"
        description = "Adwind RAT"
        reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats"
        last_modified = "2017-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a0 = "META-INF/MANIFEST.MF"
        $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/
        $PK = "PK"
    condition:
        $PK at 0 and $a0 and $a1
}
[TLP:WHITE] jar_adwind_w1 (20170803 | Alien Spy Remote Access Trojan)
rule jar_adwind_w1 {
    meta:
        description = "Alien Spy Remote Access Trojan"
        author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
        reference = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
        reference = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
        date = "2015-04-04"
        filetype = "Java"
        hash = "075fa0567d3415fbab3514b8aa64cfcb"
        hash = "818afea3040a887f191ee9d0579ac6ed"
        hash = "973de705f2f01e82c00db92eaa27912c"
        hash = "7f838907f9cc8305544bd0ad4cfd278e"
        hash = "071e12454731161d47a12a8c4b3adfea"
        hash = "a7d50760d49faff3656903c1130fd20b"
        hash = "f399afb901fcdf436a1b2a135da3ee39"
        hash = "3698a3630f80a632c0c7c12e929184fb"
        hash = "fdb674cadfa038ff9d931e376f89f1b6"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $sa_1 = "META-INF/MANIFEST.MF"
        $sa_2 = "Main.classPK"
        $sa_3 = "plugins/Server.classPK"
        $sa_4 = "IDPK"
	
        $sb_1 = "config.iniPK"
        $sb_2 = "password.iniPK"
        $sb_3 = "plugins/Server.classPK"
        $sb_4 = "LoadStub.classPK"
        $sb_5 = "LoadStubDecrypted.classPK"
        $sb_7 = "LoadPassword.classPK"
        $sb_8 = "DecryptStub.classPK"
        $sb_9 = "ClassLoaders.classPK"
	
        $sc_1 = "config.xml"
        $sc_2 = "options"
        $sc_3 = "plugins"
        $sc_4 = "util"
        $sc_5 = "util/OSHelper"
        $sc_6 = "Start.class"
        $sc_7 = "AlienSpy"

    condition:
        filesize < 800KB and ((all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)))
}
Download all Yara Rules