Description
Adwind is a backdoor written in JAVA and arrives thru spam email. It’s a cross-platform Remote Access Tool (RAT) that can run on Windows, Mac OS, Linux and Android platforms. This malware is found to be sold in the dark web and was previously used by hackers to target banks. It has different names such as AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat.
Below is the list of capabilities of the Adwind malware:
- Collect general system and user information
- Terminate running processes
- Log keystrokes
- Take screenshots and access the webcam
- Steal cached passwords and grab data from web forms
- Download and execute other malware
- Modify Registry Entries
- Download Additional Malicious components
- Play audio or record sound from a microphone
Technical Overview:
1. This malware arrives as an attachment in a spam Email:
2. When executed, it creates a random name folder in the user directory and drops and executes a copy of itself like the example below:
3. It also creates an Autostart key for Persistence:
4. It adds the following registry entries to prevent AV processes or tools from starting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%Filename of Target Exe%]
“debugger”=”svchost.exe”
The %Filename of Target Exe% is a string variable. Below is the list of strings it uses which are found to be AV related:
ProcessHacker.exe
|
econceal.exe
|
nseupdatesvc.exe
|
coreFrameworkHost.exe
|
procexp.exe
|
escanmon.exe
|
nfservice.exe
|
coreServiceShell.exe
|
MSASCui.exe
|
escanpro.exe
|
nwscmon.exe
|
uiUpdateTray.exe
|
MsMpEng.exe
|
TRAYSSER.EXE
|
njeeves2.exe
|
VIPREUI.exe
|
MpUXSrv.exe
|
TRAYICOS.EXE
|
nvcod.exe
|
SBAMSvc.exe
|
MpCmdRun.exe
|
econser.exe
|
nvoy.exe
|
SBAMTray.exe
|
NisSrv.exe
|
VIEWTCP.EXE
|
zlhh.exe
|
SBPIMSvc.exe
|
ConfigSecurityPolicy.exe
|
FSHDLL64.exe
|
Zlh.exe
|
bavhm.exe
|
procexp.exe
|
fsgk32.exe
|
nprosec.exe
|
BavSvc.exe
|
wireshark.exe
|
fshoster32.exe
|
Zanda.exe
|
BavTray.exe
|
tshark.exe
|
FSMA32.EXE
|
NS.exe
|
Bav.exe
|
text2pcap.exe
|
fsorsp.exe
|
acs.exe
|
BavWebClient.exe
|
rawshark.exe
|
fssm32.exe
|
op_mon.exe
|
BavUpdater.exe
|
mergecap.exe
|
FSM32.EXE
|
PSANHost.exe
|
MCShieldCCC.exe
|
editcap.exe
|
trigger.exe
|
PSUAMain.exe
|
MCShieldRTM.exe
|
dumpcap.exe
|
FProtTray.exe
|
PSUAService.exe
|
MCShieldDS.exe
|
capinfos.exe
|
FPWin.exe
|
AgentSvc.exe
|
MCS-Uninstall.exe
|
mbam.exe
|
FPAVServer.exe
|
BDSSVC.EXE
|
SDScan.exe
|
mbamscheduler.exe
|
AVK.exe
|
EMLPROXY.EXE
|
SDFSSvc.exe
|
mbamservice.exe
|
GdBgInx64.exe
|
OPSSVC.EXE
|
SDWelcome.exe
|
AdAwareService.exe
|
AVKProxy.exe
|
ONLINENT.EXE
|
SDTray.exe
|
AdAwareTray.exe
|
GDScan.exe
|
QUHLPSVC.EXE
|
UnThreat.exe
|
WebCompanion.exe
|
AVKWCtlx64.exe
|
SAPISSVC.EXE
|
utsvc.exe
|
AdAwareDesktop.exe
|
AVKService.exe
|
SCANNER.EXE
|
FortiClient.exe
|
V3Main.exe
|
AVKTray.exe
|
SCANWSCS.EXE
|
fcappdb.exe
|
V3Svc.exe
|
GDKBFltExe32.exe
|
scproxysrv.exe
|
FCDBlog.exe
|
V3Up.exe
|
GDSC.exe
|
ScSecSvc.exe
|
FCHelper64.exe
|
V3SP.exe
|
virusutilities.exe
|
SUPERAntiSpyware.exe
|
fmon.exe
|
V3Proxy.exe
|
guardxservice.exe
|
SASCore64.exe
|
FortiESNAC.exe
|
V3Medic.exe
|
guardxkickoff_x64.exe
|
SSUpdate64.exe
|
FortiProxy.exe
|
BgScan.exe
|
iptray.exe
|
SUPERDelete.exe
|
FortiSSLVPNdaemon.exe
|
BullGuard.exe
|
freshclam.exe
|
SASTask.exe
|
FortiTray.exe
|
BullGuardBhvScanner.exe
|
freshclamwrap.exe
|
K7RTScan.exe
|
FortiFW.exe
|
BullGuarScanner.exe
|
K7RTScan.exe
|
K7FWSrvc.exe
|
FortiClient_Diagnostic_Tool.exe
|
LittleHook.exe
|
K7FWSrvc.exe
|
K7PSSrvc.exe
|
av_task.exeCertReg.exe
|
BullGuardUpdate.exe
|
K7PSSrvc.exe
|
K7EmlPxy.EXE
|
FilMsg.exe
|
clamscan.exe
|
K7EmlPxy.EXE
|
K7TSecurity.exe
|
FilUp.exe
|
ClamTray.exe
|
K7TSecurity.exe
|
K7AVScan.exe
|
filwscc.exe
|
ClamWin.exe
|
K7AVScan.exe
|
K7CrvSvc.exe
|
filwscc.exe
|
cis.exe
|
K7CrvSvc.exe
|
K7SysMon.Exe
|
psview.exe
|
CisTray.exe
|
K7SysMon.Exe
|
K7TSMain.exe
|
quamgr.exe
|
cmdagent.exe
|
K7TSMain.exe
|
K7TSMngr.exe
|
quamgr.exe
|
cavwp.exe
|
K7TSMngr.exe
|
uiWinMgr.exe
|
schmgr.exe
|
dragon_updater.exe
|
nanosvc.exe
|
uiWatchDog.exe
|
schmgr.exe
|
MWAGENT.EXE
|
nanoav.exe
|
uiSeAgnt.exe
|
twsscan.exe
|
MWASER.EXE
|
nnf.exe
|
PtWatchDog.exe
|
twssrv.exe
|
CONSCTLX.EXE
|
nvcsvc.exe
|
PtSvcHost.exe
|
UserReg.exe
|
avpmapp.exe
|
nbrowser.exe
|
PtSessionAgent.exe
|
5. It also tries to terminate the said processes if found running.
6. It communicates with its C2 using TLSv1.2
7. Once communication is established, it will exfiltrate data and may download additional payload such as other malware on the infected system.
Other Information
Dump Config File of Adwind { "NETWORK":[{"PORT":1010,"DNS":"185.75.59.253"}], "INSTALL":true, "MODULE_PATH":"TZ/lmS/a.uB", "PLUGIN_FOLDER":"aUVnOWFBQkn", "JRE_FOLDER":"LOHZgW", "JAR_FOLDER":"JnpronDXwkD", "JAR_EXTENSION":"hneTIZ", "ENCRYPT_KEY":"HAcSNRrrdXUWJieONrQYoghbh", "DELAY_INSTALL":2 ,"NICKNAME":"1", "VMWARE":false, "PLUGIN_EXTENSION":"JceSJ", "WEBSITE_PROJECT":"https://jrat.io", "JAR_NAME":"MGPBtRBLZuK", "SECURITY":[{"REG":[{"VALUE":"\"DisableConfig\"=dword:00000001\r\n\"DisableSR\"=dword:00000001\r\n","KEY":"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]"}],"NAME":"Restore System"}, {"PROCESS":["ProcessHacker.exe"],"NAME":"Process Hacker"}, {"PROCESS":["procexp.exe"],"NAME":"MsConfig"}, {"PROCESS":["MSASCui.exe","MsMpEng.exe","MpUXSrv.exe","MpCmdRun.exe","NisSrv.exe","ConfigSecurityPolicy.exe"],"NAME":"Windows Defender"}, {"PROCESS":["procexp.exe"],"NAME":"Process Explorer"}, {"PROCESS":["wireshark.exe","tshark.exe","text2pcap.exe","rawshark.exe","mergecap.exe","editcap.exe","dumpcap.exe","capinfos.exe"],"NAME":"Wireshark"}, {"PROCESS":["mbam.exe","mbamscheduler.exe","mbamservice.exe"],"NAME":"MalwareBytes"}, {"PROCESS":["AdAwareService.exe","AdAwareTray.exe","WebCompanion.exe","AdAwareDesktop.exe"],"NAME":"Ad-Aware Antivirus"}, {"PROCESS":["V3Main.exe","V3Svc.exe","V3Up.exe","V3SP.exe","V3Proxy.exe","V3Medic.exe"],"NAME":"Ahnlab V3 Internet Security 8.0"}, {"PROCESS":["BgScan.exe","BullGuard.exe","BullGuardBhvScanner.exe","BullGuarScanner.exe","LittleHook.exe","BullGuardUpdate.exe"],"NAME":"Bull Guard Antivirus"}, {"PROCESS":["clamscan.exe","ClamTray.exe","ClamWin.exe"],"NAME":"ClamWin Antivirus"}, {"PROCESS":["cis.exe","CisTray.exe","cmdagent.exe","cavwp.exe","dragon_updater.exe"],"NAME":"COMODO Antivirus"}, {"PROCESS":["MWAGENT.EXE","MWASER.EXE","CONSCTLX.EXE","avpmapp.exe","econceal.exe","escanmon.exe","escanpro.exe","TRAYSSER.EXE","TRAYICOS.EXE","econser.exe","VIEWTCP.EXE"],"NAME":"EScan Antivirus"}, {"PROCESS":["FSHDLL64.exe","fsgk32.exe","fshoster32.exe","FSMA32.EXE","fsorsp.exe","fssm32.exe","FSM32.EXE","trigger.exe"],"NAME":"F-Secure Antivirus"}, {"PROCESS":["FProtTray.exe","FPWin.exe","FPAVServer.exe"],"NAME":"F-PROT Antivirus"}, {"PROCESS":["AVK.exe","GdBgInx64.exe","AVKProxy.exe","GDScan.exe","AVKWCtlx64.exe","AVKService.exe","AVKTray.exe","GDKBFltExe32.exe","GDSC.exe"],"NAME":"G DATA Antivirus"}, {"PROCESS":["virusutilities.exe","guardxservice.exe","guardxkickoff_x64.exe"],"NAME":"IKARUS Antivirus"}, {"PROCESS":["iptray.exe","freshclam.exe","freshclamwrap.exe"],"NAME":"Immunet Antivirus"}, {"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"}, {"PROCESS":["nanosvc.exe","nanoav.exe"],"NAME":"NANO Antivirus"}, {"PROCESS":["nnf.exe","nvcsvc.exe","nbrowser.exe","nseupdatesvc.exe","nfservice.exe","nwscmon.exe","njeeves2.exe","nvcod.exe","nvoy.exe","zlhh.exe","Zlh.exe","nprosec.exe","Zanda.exe"],"NAME":"Norman Antivirus"}, {"PROCESS":["NS.exe"],"NAME":"Norton Internet Security"}, {"PROCESS":["acs.exe","op_mon.exe"],"NAME":"Outpost ASecurity Suite Pro"}, {"PROCESS":["PSANHost.exe","PSUAMain.exe","PSUAService.exe","AgentSvc.exe"],"NAME":"Panda Antivirus"}, {"PROCESS":["BDSSVC.EXE","EMLPROXY.EXE","OPSSVC.EXE","ONLINENT.EXE","QUHLPSVC.EXE","SAPISSVC.EXE","SCANNER.EXE","SCANWSCS.EXE","scproxysrv.exe","ScSecSvc.exe"],"NAME":"Quick Heal Antivirus"}, {"PROCESS":["SUPERAntiSpyware.exe","SASCore64.exe","SSUpdate64.exe","SUPERDelete.exe","SASTask.exe"],"NAME":"SUPER Anti-Spyware"}, {"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"}, {"PROCESS":["uiWinMgr.exe","uiWatchDog.exe","uiSeAgnt.exe","PtWatchDog.exe","PtSvcHost.exe","PtSessionAgent.exe","coreFrameworkHost.exe","coreServiceShell.exe","uiUpdateTray.exe"],"NAME":"Trend Micro Antivirus+"}, {"PROCESS":["VIPREUI.exe","SBAMSvc.exe","SBAMTray.exe","SBPIMSvc.exe"],"NAME":"VIPRE Security 2015"}, {"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"}, {"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"}, {"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"}, {"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"}, {"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"}, {"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}], "JAR_REGISTRY":"GPJLxQgafwm", "DELAY_CONNECT":2, "SECURITY_TIMES":1, "VBOX":false}
How Cyphort's ADF Can Help
Cyport detects Adwind and its C2 communication as TROJAN_ADWIND.CY.