- The campaign is carried out via phishing emails.
- The phishing email includes a malicious Office file attachment that drops the malware.
An ongoing malspam campaign that has targeted more than 80 Turkish companies has been detected recently. The campaign is carried out via phishing emails that have been designed to distribute Adwind 3.0 RAT.
How does the campaign work?
Discovered by Check Point researchers, the initial attack vector starts with a phishing email that includes a malicious Office file attachment. The file is in a BIFF format and is heavily obfuscated with several evasion techniques to avoid detection.
Once the malicious file is opened, it drops the Adwind 3.0, which is configured to steal sensitive information. The stolen data is later sent to the attacker’s C2 server.
What are the capabilities of Adwind 3.0?
The Adwind 3.0 allows attackers to:
- Take screenshots;
- Take pictures and record videos or sounds from the PC;
- Steal files, cached passwords and web data;
- Collect keystrokes;
- Collect VPN certificates;
- Move laterally in the network; and
- Control the SMS system of Android devices.
What organizations should do?
Security professionals can help their organizations defend against attacks such as the attack by developing and refining processes for promptly responding to successful phishing and business email compromise (BEC) attacks. Companies should also conduct simulated phishing attacks to evaluate the preparedness of their team against any kind of email phishing attacks.