Adwind RAT Resurfaces—with a Zero Detection Rate

 The Adwind remote access Trojan (RAT) has resurfaced, after a few months, in a series of targeted attacks. It’s not your usual RAT—it can bypass antivirus altogether and claims a zero detection rate.

It has been spotted over the weekend in several targeted attacks against Danish companies, according to Heimdal Security. But given that the malicious email employed to deceive victims is in English, the attackers will most likely not stop at Danish borders.

“The RAT was last seen a few months ago, after having been apparently taken down in 2015,” explained Andra Zaharia, security specialist at Heimdal, in an analysis. “It infected almost half a million people and organizations worldwide. Now it has surfaced again, proving that cyber-criminals are not ready to give up on using it.”

Adwind, which is a Java-based malware, is often associated with APT campaigns. Heimdal calls it “cross-platform, multifunctional and plain destructive.”

As such, it has a dual purpose: To exfiltrate data from the compromised organizations, and to open a backdoor which allows attackers to feed more malware into the affected machines. Successful Adwind infections give online criminals a backdoor into PCs running Windows, OS X, Linux and even Android. Once the RAT is on the system, the attackers can remotely control the PC and gather key logs, webcam feeds, capture the audio feed, take screenshots and more.

In the observed attacks, if the Adwind code is executed, the infected computer also will be immediately recruited into a botnet.

Any machine that runs Java is potentially vulnerable, but the online criminals behind Adwind are part of a trend towards more targeted attacks that require a smaller infrastructure to carry out.

“This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike,” Zaharia said. “Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them.”

She added that the months spent between these resurges of Adwind could also signal that attackers are taking their time to prepare their strikes, to maximize their chances for success.

As far as protection measures go, admins should build data security in layers, and counsel employees on how to recognize malicious mail. Adwind is being spread by unsolicited mails with the subject line, “Quotation request.”