A new spam campaign pushing the remote access trojan (RAT) Adwind 3.0 has been detected. The malware is now targeting Windows, Linux and Mac OSX users and is able to bypass antivirus software to infect PCs.
The new campaign was first detected by security experts at ReversingLabs and has also been analyzed by experts at Cisco Talos, who determined that most of the victims of the new campaign are located in Turkey.
The cybercriminals behind the campaign are using fake and malicious Microsoft Office documents to infect victims with the RAT. Cisco Talos researchers also discovered that some of the targets of the new campaign were located in Germany.
Adwind, also known as AlienSpy and JSocket, contains multiple functions. The malware can not only steal credentials but is also capable of keylogging, taking screenshots, as well as recording audio and video.
“This RAT is used by several malicious groups. It gives its operators the ability to execute any kind of commands on its victims, log keystroke, take screenshots, take pictures or transfer files,” Cisco Talos researchers wrote in a blog. “In the past, it has been used to run cryptocurrency mining campaigns and in a separate attack that targeted the aviation industry.”
In recent attacks, Adwind was observed attempting to steal cryptographic keys that are used to access cryptocurrency wallets. According to Cisco Talos researchers, the new campaign is a warning sign about how signature-based antivirus software can easily be tricked.
“This kind of injection has been known for years, however, this actor found a way to modify it in order to have an extremely low detection ratio,” Cisco Talos researchers said. “The malicious actor used a well-known multiplatform RAT with a wide range of capabilities — a ‘field proven’ RAT that ensured it would work as designed and go undetected.”