New spam mail campaign found delivering notorious Adwind Trojan bundled with powerful backdoors

Security researchers from TrendMicro have discovered a new spam campaign delivering the notorious, cross-platform remote access trojan (RAT) Adwind along with the XTRAT backdoor and Loki info-stealer. According to their newly published report, researchers identified 5,535 new unique Adwind infections since the beginning of the year, most of which were located in the US, UK, Australia, Japan, Germany, Italy and Taiwan.

Two well-known backdoors also found bundled with Adwind included XTRAT (XtremeRAT) and DUNIHI, a well-known VBScript with backdoor and worm capabilities, in a separate incident. Both were found adopting different methods of exploitation to increase chances of infection.

“The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job," researchers said.

To deliver the malicious bundle, attackers used an compromised RTF document that triggers the CVE-2017-11882 vulnerability. This malicious document is deployed via spam emails such as shown below:

Image Credit: TrendMicro

Once the document is executed via a spam email, it downloads Loki from a malicious website that in turn drops Adwind and XTRAT. This bundle also creates a copy of itself and creates autostart in the registry before disabling all security tools and products on the infected device.

Adwind and XTRAT connects to the same C&C server: junpio70[.] and hopto[.]org and when the payload is executed it starts performing backdoor routines. Their nefarious capabilities include information theft, file and registry management, remote desktop connection, process management, screen capturing, recording via webcam (audio and video), registry manipulation, performs remote shell, control victim's system, and uploading, downloading and executing files.

Meanwhile, the Adwind and DUNIHI bundle have a different execution method. In this instance, attackers use a JAR dropper that ships a VBS dropper that is delivered via a spam email. The VBS dropper then drops and executes DUNIHI and Adwind.

"It is important to note that the VBS dropper checks if the affected system has the Java Runtime Environment (JRE) installed, and if not, it downloads and installs a JRE in the affected system", Trend Micro noted. "This eliminates the immunity point for Adwind since not having a JRE installed prevents Adwind from running."

The spam email that ships the VBS dropper may look like this:

Image Credit: TrendMicro

DUNIHI's backdoor capabilities include executing, uploading and downloading files, updating and uninstalling them, enumerating drivers, executing shell commands, deleting files and folders, and terminating processes.

"Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network," Trend Micro noted. "Since social engineering is a crucial tool of the above-mentioned spam campaign/s, the workforce should have a security mindset to avoid falling for cybercriminal tricks."