Adwind: A cross-plattform RAT

Published on 28th August 2017, 09:49:00 UTC


Adwind (also known as "jRAT" and "JSocket") is a remote access tool (RAT) written in Java. The use of Java makes Adwind to a powerful cross-plattform malware: It does not only infected systems running the Windows operating system but also macOS, Linux and meanwhile also Android. However, Java must be installed on the victims device. While Java is usually not pre-installed on Windows, macOS or Linux, Java is a very popular programming language in many corporates. If you look at small- and medium enterprises, you will have a hard time to not find at least one Java based application in any corporate network. As a result of that, it is fair to say that Java is installed on most of the corporate computers world wide. According to Oracle (the company who maintains Java), Java is installed on more than 3 Billion devices, including ATMs. In short: a wonderful target for malware.

Java 9 installation
Java 9 installation wizzard.

The success story of Adwind started in 2012 and became more popular in the past two years. In early 2017, Trend Micro reported attacks against enterprises and industry in multiple countries involving Adwind to infiltrate the victims network. Adwind became not only a sever threat to home users but also small- and medium enterprises that many underestimate.

The main infection vector of Adwind is through spam emails, usually poisoned with a ZIP archive containing a .jar file or pointing to a malware download URL that serves the Java file that includes Adwind.

According to a report from security researchers at Kasperksy from 2016 [PDF], Adwind was sold as "malware-as-a-service" in 2016:

"JSocket.org is a website that implements a concept known as malware-asa-service,
which is a commercially available malware tool that can be used
on a subscription basis, and which includes basic technical support, additional
paid components and modules, as well as accompanying services such as
obfuscation to evade AV detection, a free VPN service for members with
the ability to map ports for incoming connections at the VPN termination
point and free checks using tens of different AV engines.
The project runs openly as if it were providing completely"

Source: Kaspersky

Another reason why Adwind became so successful is the poor detection rate. Adwind malware samples do have an notorious bad detection rate:

Adwind sample (MD5) Filename AV coverage
78f92dfa38e5c672cb1efa2adbdab340 Swift copy #51009.jar 0 / 60
0cbd3cf4aee89ac85236a69c1d83e4b2 Doc249356.jar 0 / 60
c1b22109756b19c5e4b030864fc4c1ad mnbn.jar 1 / 60
7b6f2830d935d1d96fbfe28d2cf17652 Payment Advice.jar 1 / 57
07b53030ecbd2e82bfb2013ffbaaee09 989007_ORDER.jar 3 / 60

Looking into some recent Adwind samples, I noticed that many of them where beaconing to botnet Command&Control Servers (C&Cs) that are associated with a hosting provider called "AnMaXX". AnMaXX sells "SEO hosting" under the brand "IP NetworX" (aka Final Infinity Inc), a comany registered in the Seychelles:

Final Infinity Inc.
Ip-NetworX.com
Final Infinity Inc.
F20, 1st Floor, Eden Plaza
Eden Island
Seychelles
support@ip-networx.com

The domain name "ip-networx.com" is registered to a person with the name Dimitri Makarovic (domainrobotx@gmail.com). According to their corporate website, the company sells "SEO hosting for Professionals" across differnt class A networks. For around $100 USD you can get 50 IP addresses on multiple class A and B networks. So called private blog network (PBN) own hundreds or even thousands of domain names and use such services to link the websites to each other. By using different domain names hosted on different nameservers and A- or B-class network, the owner of the PBN tries to hide the fact that the websites belong to each other and tries to get a better position for his websites on common search engines (search engine optimisation).

Java 9 installation
IP NetworX website

But the services apperently does not only attract PBN and blackhat SEO campaigns but also Adwind botnet operators who use AnMaXX network to host their botnet Command&Control infrastructure (C&C). In the recent weeks, I've seen dozens of Adwind botnet C&Cs hosted at IP space owned by AnMaXX. Unlike common hosting providers, AnMaXX apperently doesn't have their own IP prefixes they would announce under their own AS, rather than renting IP space at various hosting providers around the world. Below is a list of 17 prefixes that are rent and operated by AnMaXX. Almost all of them were releated to Adwind C&C hosting in the past weeks:


79.134.225.0/24			AS6775			CH
185.101.34.64/26		AS34989			NO
95.167.151.224/27		AS12389			RU
89.35.228.192/26		AS34304			RO
191.101.22.0/24			AS42831			UK	anthony.marshall.1986@GMAIL.COM
146.255.79.160/27		AS34547			MK
154.16.201.0/24			AS200995		FR
154.16.220.0/24			AS56630			RU
154.16.63.0/24			AS50841			GB
176.10.124.192/26		AS51395			CH
181.215.247.0/24		AS57944			NO
185.145.45.0/24			AS49981			NL
213.183.40.0/26			AS56630			DE
213.183.58.0/26			AS56630			RU	anthony.marshall.1986@GMAIL.COM
95.140.125.0/25			AS9125			RS
95.167.151.224/27		AS12389			RU
77.48.28.192/26     AS6830      CZ

Reading through the report from Kaspersky again, it is possible that the said prefixes are used by a malware-as-a-service, mapping certain incoming ports used by Adwind malware campaigns to different Adwind customers.

In any case, you should definitely check your network perimeter for outgoing TCP traffic towards these prefixes in order to spot Adwing infected machines in your network. If you want to be on the safe side you can exclude TCP port 80 and 443 to avoid false positive. But as a matter of fact I couldn't find any good content hosted on these networks, so using the said list of IP prefixes as indicator of compromise (IOC) or blocklist shouldn't cause many false positives.

You can download the plain list of prefixes and related Adwind botnet C&C domain names here:

Blog Archive