Security Alert: Spam Campaign Spreads Adwind RAT variant, Targeting Computer Systems

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

The malware economy is still alive and well. Cybercriminals continue to turn their attention to more targeted attacks with a smaller infrastructure to carry out. Phishing emails remain a preferred attack vector for malicious actors focused on getting access to users’ valuable data.

Security researchers recently saw and analyzed a targeted spam campaign in which cybercriminals try to lure victims into clicking on a malicious link.

In the observed attack, the spam email is carried with the following content:

From: [Spoof / Forwarded Sender Address]

Subject Line:
payment swift copy-USD-39,814-15

Content (sanitized for your own protection):

“Dear Sir

Please find herewith the attached file of payment swift copy-USD-39,814-15. Please acknowledge receipt it.

Best Regards

https: //www.dropbox [.] com / s / 6etniblieaywcpm / PAYMENT% 20SWIFT% 20COPY_Parimex% 20USD_39% 2C814-15_pdf.zip? dl = 3D1 “

If the users click on the link pointing to Dropbox and activate the archive, they will receive a malicious zip file containing the following content: “PAYMENT SWIFT COPY_Parimex USD_39,814-15_pdf.jar”

A JAR (Java ARchive) is actually a ZIP file used by the Java Runtime Environment (JRE) framework to execute Java programs.

During this spam campaign, if the .jar file is run by an invisible recipient and a javascript translator is installed on the targeted machine, cybercriminals will “drop” the malicious JBiFrost RAT on the hard drive.

JBiFrost is a an Adwind RAT version that has been rebranded by the malicious actors behind it and made its appearance to the malware market in 2016.

This variant of RAT is configured to communicate with the following C & C server on this domain (sanitized for your safety) vvrhhhnaijyj6s2m.onion [.] Top. With the help of a RAT, attackers can remotely access the file system to read, write or delete files.

The objective of this type of attack can be to exfiltrate data from compromised systems and to open a backdoor which lets online criminals to feed more malware into the targeted machines.

According to VirusTotal, only 17 antivirus products out of 61 have managed to detect this spam campaign at the time we write this security alert.

AV JBIFrost Rar

Heimdal Security proactively blocked these malicious domains, so all our Heimdal PRO and Heimdal CORP users are protected.

How to prevent being infected with Adwind RAT

This type of malware can evades detection in the first place, so it’s essential to take all the security measures needed to keep your data safe.

  • Keep your operating system, including all your apps and software programs, up to date, because it’s the first place where malicious actors can exploit vulnerabilities.
  • Once again, we remind you: DO NOT open emails or click on files/attachments that look suspicious to you;
  •  Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Use this  guide to learn how to do it;
  • Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
  • It would be safer to add multiple layers of protection and use a proactive cyber security software solution;
  • Prevention is the best cure, so learning as much as possible about how to easily detect spam emails is always the right mindset. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.

Stay safe!

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
138 Followers
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel