Adwind: A cross-platform RAT
Published on 28th August 2017, 09:49:00 UTC
Adwind (also known as "jRAT" and "JSocket") is a remote access tool (RAT) written in Java. The use of Java makes Adwind to a powerful cross-platform malware: It does not only infected systems running the Windows operating system but also macOS, Linux and meanwhile also Android. However, Java must be installed on the victims device. While Java is usually not pre-installed on Windows, macOS or Linux, Java is a very popular programming language in many corporates. If you look at small- and medium enterprises, you will have a hard time to not find at least one Java based application in any corporate network. As a result of that, it is fair to say that Java is installed on most of the corporate computers world wide. According to Oracle (the company who maintains Java), Java is installed on more than 3 Billion devices, including ATMs. In short: a wonderful target for malware.
The success story of Adwind started in 2012 and became more popular in the past two years. In early 2017, Trend Micro reported attacks against enterprises and industry in multiple countries involving Adwind to infiltrate the victims network. Adwind became not only a sever threat to home users but also small- and medium enterprises that many underestimate.
The main infection vector of Adwind is through spam emails, usually poisoned with a ZIP archive containing a .jar file or pointing to a malware download URL that serves the Java file that includes Adwind.
According to a report from security researchers at Kasperksy from 2016 [PDF], Adwind was sold as "malware-as-a-service" in 2016:
"JSocket.org is a website that implements a concept known as malware-asa-service,
which is a commercially available malware tool that can be used
on a subscription basis, and which includes basic technical support, additional
paid components and modules, as well as accompanying services such as
obfuscation to evade AV detection, a free VPN service for members with
the ability to map ports for incoming connections at the VPN termination
point and free checks using tens of different AV engines.
The project runs openly as if it were providing completely"
Source: KasperskyAnother reason why Adwind became so successful is the poor detection rate. Adwind malware samples do have an notorious bad detection rate:
| Adwind sample (MD5) | Filename | AV coverage |
|---|---|---|
| 78f92dfa38e5c672cb1efa2adbdab340 | Swift copy #51009.jar | 0 / 60 |
| 0cbd3cf4aee89ac85236a69c1d83e4b2 | Doc249356.jar | 0 / 60 |
| c1b22109756b19c5e4b030864fc4c1ad | mnbn.jar | 1 / 60 |
| 7b6f2830d935d1d96fbfe28d2cf17652 | Payment Advice.jar | 1 / 57 |
| 07b53030ecbd2e82bfb2013ffbaaee09 | 989007_ORDER.jar | 3 / 60 |
Looking into some recent Adwind samples, I noticed that many of them where beaconing to botnet Command&Control Servers (C&Cs) that are associated with a hosting provider called "AnMaXX". AnMaXX sells "SEO hosting" under the brand "IP NetworX" (aka Final Infinity Inc), a comany registered in the Seychelles:
Final Infinity Inc.
Ip-NetworX.com
Final Infinity Inc.
F20, 1st Floor, Eden Plaza
Eden Island
Seychelles
support@ip-networx.comThe domain name "ip-networx.com" is registered to a person with the name Dimitri Makarovic (domainrobotx@gmail.com). According to their corporate website, the company sells "SEO hosting for Professionals" across differnt class A networks. For around $100 USD you can get 50 IP addresses on multiple class A and B networks. So called private blog network (PBN) own hundreds or even thousands of domain names and use such services to link the websites to each other. By using different domain names hosted on different nameservers and A- or B-class network, the owner of the PBN tries to hide the fact that the websites belong to each other and tries to get a better position for his websites on common search engines (search engine optimisation).
But the services apperently does not only attract PBN and blackhat SEO campaigns but also Adwind botnet operators who use AnMaXX network to host their botnet Command&Control infrastructure (C&C). In the recent weeks, I've seen dozens of Adwind botnet C&Cs hosted at IP space owned by AnMaXX. Unlike common hosting providers, AnMaXX apperently doesn't have their own IP prefixes they would announce under their own AS, rather than renting IP space at various hosting providers around the world. Below is a list of 17 prefixes that are rent and operated by AnMaXX. Almost all of them were releated to Adwind C&C hosting in the past weeks:
79.134.225.0/24 AS6775 CH
185.101.34.64/26 AS34989 NO
95.167.151.224/27 AS12389 RU
89.35.228.192/26 AS34304 RO
191.101.22.0/24 AS42831 UK anthony.marshall.1986@GMAIL.COM
146.255.79.160/27 AS34547 MK
154.16.201.0/24 AS200995 FR
154.16.220.0/24 AS56630 RU
154.16.63.0/24 AS50841 GB
176.10.124.192/26 AS51395 CH
181.215.247.0/24 AS57944 NO
185.145.45.0/24 AS49981 NL
213.183.40.0/26 AS56630 DE
213.183.58.0/26 AS56630 RU anthony.marshall.1986@GMAIL.COM
95.140.125.0/25 AS9125 RS
95.167.151.224/27 AS12389 RU
77.48.28.192/26 AS6830 CZReading through the report from Kaspersky again, it is possible that the said prefixes are used by a malware-as-a-service, mapping certain incoming ports used by Adwind malware campaigns to different Adwind customers.
In any case, you should definitely check your network perimeter for outgoing TCP traffic towards these prefixes in order to spot Adwing infected machines in your network. If you want to be on the safe side you can exclude TCP port 80 and 443 to avoid false positive. But as a matter of fact I couldn't find any good content hosted on these networks, so using the said list of IP prefixes as indicator of compromise (IOC) or blocklist shouldn't cause many false positives.
You can download the plain list of prefixes and related Adwind botnet C&C domain names here: