RAT Trojan Adwind attacks US energy sector

Unknown attackers targeted infrastructure of the US electricity industry. With the help of malicious emails, employees of the energy enterprises were delivered the Adwind RAT Trojan, which specializes in attacks on the electricity sector.

The malware, also known as JRAT, SockRat, AlienSpy, JSocket, Frutas and Unrecom, is used to steal information. It can take screenshots, collect credentials from Chrome, Internet Explorer and Microsoft Edge, record audio and video, take pictures, read keystrokes on the keyboard, and steal files, email and VPN certificates.

Adwind distributed under the “malware as a service” model. Anyone can buy a trojan on the black market.

“The fact that Adwind can be accessed as a regular service is disturnbing. Anyone can pay and attack the enterprises that run critical infrastructure facilities”, – said Bob Noel, Plixer vice president of strategic relations.

According to Milo Salvia, a researcher at Cofense, ongoing attacks begin with malicious mailing. The letter, which attracted experts’ attention, was sent from a hacked account of Friary Shoes. It stated that the recipient must sign and return a copy of a payment receipt.

The letter was accompanied by an image with a built-in link, masked under a PDF file.

If the user tried to open the attachment, he was automatically redirected to the hacked site of Fletcher Specs, from which the malware was downloaded to victim’s computer.

Read also: Trojan Varenyky spies on porn sites users

The original payload was a JAR file named Scan050819.pdf_obf.jar. Thus, attackers tried to hide the true extension and pass it off as a PDF document. This JAR file in the background created two Java.exe processes that loaded two separate .class files containing Adwind. After that, the malware transmitted a signal to the command and control server.

“Forcing users to open malicious links or attachments is still the most successful way for cybercriminals to gain access to the target system. Malwares like Adwind will be able to disable antiviruses when they get to the device”, – said Bob Noel.

To avoid detection, the Trojan found on the computer the most common anti-virus programs and malware analysis tools and disabled them using the taskkill.exe process.