[vc_row][vc_column animation_iteration=”1″][mvc_infobox info_style=”mega_info_box_2″ info_opt=”show_icon” icon_size=”35″ icon_height=”75″ icon_radius=”15px” border_width=”2″ title_color=”#cd202c” font_icon=”fa fa-exclamation-triangle” icon_color=”#cd202c” border_clr=”#dd3333″ info_title=”Gateways Bypassed” title_size=”25″ css=”.vc_custom_1585945150237{margin-top: 20px !important;margin-bottom: 30px !important;}” hoverclr=”#cd202c” icon_bg=”#ffffff” hoverbg=”#ffffff”]
Microsoft 365 ATP
[/mvc_infobox][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1597854140643″]The Cofense Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee.
The malware boasts the following features:
- Takes screen shots
- Harvests credentials from Chrome, IE and Edge
- Accesses the webcam, record video and take photos
- Records audio from the microphone
- Transfers files
- Collects general system and user information
- Steals VPN certificates
- Serves as a Key Logger
Email Body
Fig1. Email Body
This email comes from a hijacked account at Friary Shoes. Also note the web address for Fletcher Specs, whose domain threat actors are abusing to host the malware.
The email body is simple and to the point: “Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.
Fig 2. Payload
The initial payload is in the form of a .JAR file named: “Scan050819.pdf_obf.jar.” Note that the attacker has attempted to make the file appear as if it were a PDF by attempting to obfuscate the file true extension.
Fig 3. Running processes
Once executed, we can see that two java.exe processes are created which load two separate .class files. JRAT then beacons out to its command and control server: hxxp://ns1648[.]ztomy[.]com
Fig 4. C2 Traffic
Adwind installs its dependencies and harvested information in: C:UsersByteAppDataLocalTemp. Here we can see the two class files the jave.exe process has loaded along with a registry key entries and several .dlls:
Fig5. Additional dependencies and artifacts
The malware also attempts to circumvent analysis and avoid detection by using taskkill.exe to disable popular analysis tools and antivirus software. If we take a closer look at the registry entries file we see that the malware looks for popular antivirus and malware analysis tools.
Fig 6. Anti-Analysis
Indicators of Compromise (IOCs):
Malicious File(s):
File Name: Scan050819.pdf_obf.jar MD5: 6b94046ac3ade886488881521bfce90f SHA256: b9cb86ae6a0691859a921e093b4d3349a3d8f452f5776b250b6ee938f4a8cba2 File size: 634,529 bytes (619K) File Name: _0.116187311888071087770622558430261020.class MD5: 781fb531354d6f291f1ccab48da6d39f SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 File size: 247,088 bytes (241K) File Name: _0.40308597817769314486921725080498503.class MD5: 781fb531354d6f291f1ccab48da6d39f SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 File size: 247,088 bytes (241K) File Name: gCMmWntWwp7328181049172078943.reg MD5: 7f97f5f336944d427c03cc730c636b8f SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57 File size: 27,926 bytes (27K) File Name: Windows3382130663692717257.dll MD5: 0b7b52302c8c5df59d960dd97e3abdaf SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0 File size: 46,592 bytes (45K) File Name: sqlite-3.8.11.2-fd78b49b-d887-492e-8419-acb9dd4e311c-sqlitejdbc.dll MD5: a4e510d903f05892d77741c5f4d95b5d SHA256: a3fbdf4fbdf56ac6a2ebeb4c131c5682f2e2eadabc758cfe645989c311648506 File size: 695,808 bytes (679K) File Name: Windows8838144181261500314.dll MD5: c17b03d5a1f0dc6581344fd3d67d7be1 SHA256: 1afb6ab4b5be19d0197bcb76c3b150153955ae569cfe18b8e40b74b97ccd9c3d File size: 39,424 bytes (38K)
Malicious URL(s):
hxxps://fletcherspecs[.]co[.]uk/ hxxp://ns1648[.]ztomy[.]com
Associated IP(s):
109[.]203[.]124[.]231 194[.]5[.]97[.]28
HOW COFENSE CAN HELP
89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM.It offers a phishing simulation, “Remittance Advice – Adwind,” to educate users on the attack described in today’s blog.
Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.
Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.
Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.
Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.[/vc_column_text][/vc_column][/vc_row]