• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Adwind

XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
  • Posted on:April 19, 2018 at 6:00 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

We discovered a spam campaign that delivers the notorious cross-platform remote access Trojan (RAT) Adwind a.k.a. jRAT (detected by Trend Micro as JAVA_ADWIND.WIL) alongside another well-known backdoor called XTRAT a.k.a XtremeRAT (BKDR_XTRAT.SMM). The spam campaign also delivered the info-stealer Loki (TSPY_HPLOKI.SM1).

DUNIHI (VBS_DUNIHI.ELDSAVJ), a known VBScript with backdoor and worm capabilities, was also seen being dropped with Adwind via spam mail in a separate incident. Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org. The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.

Read More
Tags: AdwindbackdoorDUNIHILokiXTRAT

A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs
  • Posted on:September 5, 2017 at 3:00 am
  • Posted in:Malware
  • Author:
    Trend Micro Cyber Safety Solutions Team
0

Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.

We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags. It resembled the way Google Drive was misused as a repository of stolen data, for instance.

The payloads we saw during our research—remote access tools (RATs)—are also notable. We found that after they were downloaded and executed, the RATs/backdoors would phone back to their respective command-and-control servers, which are resolvable via free DNS services. It’s not a novel technique, but our correlation of the indicators of compromise (IoCs) suggests that a potentially sustained, cybercriminal operation took advantage of this platform.

Read More
Tags: A360 DriveAdwindAutodeskRemcos RAT

Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind
  • Posted on:July 11, 2017 at 3:00 am
  • Posted in:Malware, Spam
  • Author:
    Rubio Wu and Marshall Chen (Threats Analysts)
0

Cybercriminals are opportunists. As other operating systems (OS) are more widely used, they, too, would diversify their targets, tools, and techniques in order to cash in on more victims. That’s the value proposition of malware that can adapt and cross over different platforms. And when combined with a business model that can commercially peddle this malware to other bad guys, the impact becomes more pervasive.

Case in point: Adwind/jRAT, which Trend Micro detects as JAVA_ADWIND. It’s a cross-platform remote access Trojan (RAT) that can be run on any machine installed with Java, including Windows, Mac OSX, Linux, and Android.

Unsurprisingly we saw it resurface in another spam campaign. This time, however, it’s mainly targeting enterprises in the aerospace industry, with Switzerland, Ukraine, Austria, and the US the most affected countries.

Read More
Tags: AdwindjRATjRAT-wrapperremote access TrojanSpam

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Popular Posts

  • Security Analysis of Devices That Support SCPI and VISA Protocols
  • Why Running a Privileged Container in Docker Is a Bad Idea
  • January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs
  • First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
  • Looking into Attacks and Techniques Used Against WordPress Sites

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.