Description

Adwind is a backdoor written in JAVA and arrives thru spam email.  It’s a cross-platform Remote Access Tool (RAT) that can run on Windows, Mac OS, Linux and Android platforms. This malware is found to be sold in the dark web and was previously used by hackers to target banks. It has different names such as AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat.

Below is the list of capabilities of the Adwind malware:

• Collect general system and user information
• Terminate running processes
• Log keystrokes
• Take screenshots and access the webcam
• Steal cached passwords and grab data from web forms
• Download and execute other malware
• Modify Registry Entries
• Download Additional Malicious components
• Play audio or record sound from a microphone

Technical Overview:

1. This malware arrives as an attachment in a spam Email:    

2. When executed, it creates a random name folder in the user directory and drops and executes a copy of itself like the example below:

3.  It also creates an Autostart key for Persistence:

4.  It adds the following registry entries to prevent AV processes or tools from starting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%Filename of Target Exe%]

“debugger”=”svchost.exe”

The %Filename of Target Exe% is a string variable. Below is the list of strings it uses which are found to be AV related:

ProcessHacker.exe

econceal.exe

nseupdatesvc.exe

coreFrameworkHost.exe

procexp.exe

escanmon.exe

nfservice.exe

coreServiceShell.exe

MSASCui.exe

escanpro.exe

nwscmon.exe

uiUpdateTray.exe

MsMpEng.exe

TRAYSSER.EXE

njeeves2.exe

VIPREUI.exe

MpUXSrv.exe

TRAYICOS.EXE

nvcod.exe

SBAMSvc.exe

MpCmdRun.exe

econser.exe

nvoy.exe

SBAMTray.exe

NisSrv.exe

VIEWTCP.EXE

zlhh.exe

SBPIMSvc.exe

ConfigSecurityPolicy.exe

FSHDLL64.exe

Zlh.exe

bavhm.exe

procexp.exe

fsgk32.exe

nprosec.exe

BavSvc.exe

wireshark.exe

fshoster32.exe

Zanda.exe

BavTray.exe

tshark.exe

FSMA32.EXE

NS.exe

Bav.exe

text2pcap.exe

fsorsp.exe

acs.exe

BavWebClient.exe

rawshark.exe

fssm32.exe

op_mon.exe

BavUpdater.exe

mergecap.exe

FSM32.EXE

PSANHost.exe

MCShieldCCC.exe

editcap.exe

trigger.exe

PSUAMain.exe

MCShieldRTM.exe

dumpcap.exe

FProtTray.exe

PSUAService.exe

MCShieldDS.exe

capinfos.exe

FPWin.exe

AgentSvc.exe

MCS-Uninstall.exe

mbam.exe

FPAVServer.exe

BDSSVC.EXE

SDScan.exe

mbamscheduler.exe

AVK.exe

EMLPROXY.EXE

SDFSSvc.exe

mbamservice.exe

GdBgInx64.exe

OPSSVC.EXE

SDWelcome.exe

AdAwareService.exe

AVKProxy.exe

ONLINENT.EXE

SDTray.exe

AdAwareTray.exe

GDScan.exe

QUHLPSVC.EXE

UnThreat.exe

WebCompanion.exe

AVKWCtlx64.exe

SAPISSVC.EXE

utsvc.exe

AdAwareDesktop.exe

AVKService.exe

SCANNER.EXE

FortiClient.exe

V3Main.exe

AVKTray.exe

SCANWSCS.EXE

fcappdb.exe

V3Svc.exe

GDKBFltExe32.exe

scproxysrv.exe

FCDBlog.exe

V3Up.exe

GDSC.exe

ScSecSvc.exe

FCHelper64.exe

V3SP.exe

virusutilities.exe

SUPERAntiSpyware.exe

fmon.exe

V3Proxy.exe

guardxservice.exe

SASCore64.exe

FortiESNAC.exe

V3Medic.exe

guardxkickoff_x64.exe

SSUpdate64.exe

FortiProxy.exe

BgScan.exe

iptray.exe

SUPERDelete.exe

FortiSSLVPNdaemon.exe

BullGuard.exe

freshclam.exe

SASTask.exe

FortiTray.exe

BullGuardBhvScanner.exe

freshclamwrap.exe

K7RTScan.exe

FortiFW.exe

BullGuarScanner.exe

K7RTScan.exe

K7FWSrvc.exe

FortiClient_Diagnostic_Tool.exe

LittleHook.exe

K7FWSrvc.exe

K7PSSrvc.exe

av_task.exeCertReg.exe

BullGuardUpdate.exe

K7PSSrvc.exe

K7EmlPxy.EXE

FilMsg.exe

clamscan.exe

K7EmlPxy.EXE

K7TSecurity.exe

FilUp.exe

ClamTray.exe

K7TSecurity.exe

K7AVScan.exe

filwscc.exe

ClamWin.exe

K7AVScan.exe

K7CrvSvc.exe

filwscc.exe

cis.exe

K7CrvSvc.exe

K7SysMon.Exe

psview.exe

CisTray.exe

K7SysMon.Exe

K7TSMain.exe

quamgr.exe

cmdagent.exe

K7TSMain.exe

K7TSMngr.exe

quamgr.exe

cavwp.exe

K7TSMngr.exe

uiWinMgr.exe

schmgr.exe

dragon_updater.exe

nanosvc.exe

uiWatchDog.exe

schmgr.exe

MWAGENT.EXE

nanoav.exe

uiSeAgnt.exe

twsscan.exe

MWASER.EXE

nnf.exe

PtWatchDog.exe

twssrv.exe

CONSCTLX.EXE

nvcsvc.exe

PtSvcHost.exe

UserReg.exe

avpmapp.exe

nbrowser.exe

PtSessionAgent.exe

5. It also tries to terminate the said processes if found running.

6. It communicates with its C2 using TLSv1.2

7. Once communication is established, it will exfiltrate data and may download additional payload such as other malware on the infected system.

Other Information

Dump Config File of Adwind

{

"NETWORK":[{"PORT":1010,"DNS":"185.75.59.253"}],

"INSTALL":true,

"MODULE_PATH":"TZ/lmS/a.uB",

"PLUGIN_FOLDER":"aUVnOWFBQkn",

"JRE_FOLDER":"LOHZgW",

"JAR_FOLDER":"JnpronDXwkD",

"JAR_EXTENSION":"hneTIZ",

"ENCRYPT_KEY":"HAcSNRrrdXUWJieONrQYoghbh",

"DELAY_INSTALL":2

,"NICKNAME":"1",

"VMWARE":false,

"PLUGIN_EXTENSION":"JceSJ",

"WEBSITE_PROJECT":"https://jrat.io",

"JAR_NAME":"MGPBtRBLZuK",

"SECURITY":[{"REG":[{"VALUE":"\"DisableConfig\"=dword:00000001\r\n\"DisableSR\"=dword:00000001\r\n","KEY":"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]"}],"NAME":"Restore System"},

{"PROCESS":["ProcessHacker.exe"],"NAME":"Process Hacker"},

{"PROCESS":["procexp.exe"],"NAME":"MsConfig"},

{"PROCESS":["MSASCui.exe","MsMpEng.exe","MpUXSrv.exe","MpCmdRun.exe","NisSrv.exe","ConfigSecurityPolicy.exe"],"NAME":"Windows Defender"},

{"PROCESS":["procexp.exe"],"NAME":"Process Explorer"},

{"PROCESS":["wireshark.exe","tshark.exe","text2pcap.exe","rawshark.exe","mergecap.exe","editcap.exe","dumpcap.exe","capinfos.exe"],"NAME":"Wireshark"},

{"PROCESS":["mbam.exe","mbamscheduler.exe","mbamservice.exe"],"NAME":"MalwareBytes"},

{"PROCESS":["AdAwareService.exe","AdAwareTray.exe","WebCompanion.exe","AdAwareDesktop.exe"],"NAME":"Ad-Aware Antivirus"},

{"PROCESS":["V3Main.exe","V3Svc.exe","V3Up.exe","V3SP.exe","V3Proxy.exe","V3Medic.exe"],"NAME":"Ahnlab V3 Internet Security 8.0"},

{"PROCESS":["BgScan.exe","BullGuard.exe","BullGuardBhvScanner.exe","BullGuarScanner.exe","LittleHook.exe","BullGuardUpdate.exe"],"NAME":"Bull Guard Antivirus"},

{"PROCESS":["clamscan.exe","ClamTray.exe","ClamWin.exe"],"NAME":"ClamWin Antivirus"},

{"PROCESS":["cis.exe","CisTray.exe","cmdagent.exe","cavwp.exe","dragon_updater.exe"],"NAME":"COMODO Antivirus"},

{"PROCESS":["MWAGENT.EXE","MWASER.EXE","CONSCTLX.EXE","avpmapp.exe","econceal.exe","escanmon.exe","escanpro.exe","TRAYSSER.EXE","TRAYICOS.EXE","econser.exe","VIEWTCP.EXE"],"NAME":"EScan Antivirus"},

{"PROCESS":["FSHDLL64.exe","fsgk32.exe","fshoster32.exe","FSMA32.EXE","fsorsp.exe","fssm32.exe","FSM32.EXE","trigger.exe"],"NAME":"F-Secure Antivirus"},

{"PROCESS":["FProtTray.exe","FPWin.exe","FPAVServer.exe"],"NAME":"F-PROT Antivirus"},

{"PROCESS":["AVK.exe","GdBgInx64.exe","AVKProxy.exe","GDScan.exe","AVKWCtlx64.exe","AVKService.exe","AVKTray.exe","GDKBFltExe32.exe","GDSC.exe"],"NAME":"G DATA Antivirus"},

{"PROCESS":["virusutilities.exe","guardxservice.exe","guardxkickoff_x64.exe"],"NAME":"IKARUS Antivirus"},

{"PROCESS":["iptray.exe","freshclam.exe","freshclamwrap.exe"],"NAME":"Immunet Antivirus"},

{"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"},

{"PROCESS":["nanosvc.exe","nanoav.exe"],"NAME":"NANO Antivirus"},

{"PROCESS":["nnf.exe","nvcsvc.exe","nbrowser.exe","nseupdatesvc.exe","nfservice.exe","nwscmon.exe","njeeves2.exe","nvcod.exe","nvoy.exe","zlhh.exe","Zlh.exe","nprosec.exe","Zanda.exe"],"NAME":"Norman Antivirus"},

{"PROCESS":["NS.exe"],"NAME":"Norton Internet Security"},

{"PROCESS":["acs.exe","op_mon.exe"],"NAME":"Outpost ASecurity Suite Pro"},

{"PROCESS":["PSANHost.exe","PSUAMain.exe","PSUAService.exe","AgentSvc.exe"],"NAME":"Panda Antivirus"},

{"PROCESS":["BDSSVC.EXE","EMLPROXY.EXE","OPSSVC.EXE","ONLINENT.EXE","QUHLPSVC.EXE","SAPISSVC.EXE","SCANNER.EXE","SCANWSCS.EXE","scproxysrv.exe","ScSecSvc.exe"],"NAME":"Quick Heal Antivirus"},

{"PROCESS":["SUPERAntiSpyware.exe","SASCore64.exe","SSUpdate64.exe","SUPERDelete.exe","SASTask.exe"],"NAME":"SUPER Anti-Spyware"},

{"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"},

{"PROCESS":["uiWinMgr.exe","uiWatchDog.exe","uiSeAgnt.exe","PtWatchDog.exe","PtSvcHost.exe","PtSessionAgent.exe","coreFrameworkHost.exe","coreServiceShell.exe","uiUpdateTray.exe"],"NAME":"Trend Micro Antivirus+"},

{"PROCESS":["VIPREUI.exe","SBAMSvc.exe","SBAMTray.exe","SBPIMSvc.exe"],"NAME":"VIPRE Security 2015"},

{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},

{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},

{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},

{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},

{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},

{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],

"JAR_REGISTRY":"GPJLxQgafwm",

"DELAY_CONNECT":2,

"SECURITY_TIMES":1,

"VBOX":false}

How Cyphort's ADF Can Help

Cyport detects Adwind and its C2 communication as TROJAN_ADWIND.CY.