Adwind is a multiplatform Remote Access Trojan (RAT) which has been in the wild for some time. In this Kasperky Blog post there is a good historical analysis.
In most of the cases Adwind is delivered as an attachment via email (as ZIP or JAR file), but it is not the only way. I've dealt with incidents involving Adwind where the infection vector was a malicious link.
Other potential infection vector is via weaponized MS office documents. Some of this weaponized document have really low detection rate, like the one above, which it is only detected by 20% of the Antivirus at the moment of this writing and 8 AV (from of a total of 60) when the file was originally reported
The malicious payload, a JAR file, is included in the MS office Document as an OLE object.
This can be seen doing some manual analysis on the file:
A Simple Use Case to detect the malware is to monitor any process spawned by MS Office, in this case it is a Java Process
In terms of persistence, the malware can be detected easily, as it creates an entry in the registry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run " pointing to a java executable which it is allocated in the the AppData directory of the user:
This can be easily hunt with a remote PowerShell query, like the one below
Adwind malware kills massively processes relates to Antivirus and monitor tools, which can be also a good indicator for detection
To avoid those processes to be executed again the malware uses an interesting trick. It includes the processes in the registry key as 'debugger=svchost.exe' using the "Image File execution Option". This technique is described in this blog post
This can be spotted straight forward with a query, checking any registry imported from the AppData user folder, like the one above:
Another way is to monitor all the registry keys being set with debugger
IOC:
185.172.25.13
245addb0e7b0d9f63e8a63efb8c77ffdc4e39cb2ddbbe8a138f3203e7458caf5
In most of the cases Adwind is delivered as an attachment via email (as ZIP or JAR file), but it is not the only way. I've dealt with incidents involving Adwind where the infection vector was a malicious link.
Other potential infection vector is via weaponized MS office documents. Some of this weaponized document have really low detection rate, like the one above, which it is only detected by 20% of the Antivirus at the moment of this writing and 8 AV (from of a total of 60) when the file was originally reported
The malicious payload, a JAR file, is included in the MS office Document as an OLE object.
This can be seen doing some manual analysis on the file:
A Simple Use Case to detect the malware is to monitor any process spawned by MS Office, in this case it is a Java Process
In terms of persistence, the malware can be detected easily, as it creates an entry in the registry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run " pointing to a java executable which it is allocated in the the AppData directory of the user:
This can be easily hunt with a remote PowerShell query, like the one below
Adwind malware kills massively processes relates to Antivirus and monitor tools, which can be also a good indicator for detection
To avoid those processes to be executed again the malware uses an interesting trick. It includes the processes in the registry key as 'debugger=svchost.exe' using the "Image File execution Option". This technique is described in this blog post
This can be spotted straight forward with a query, checking any registry imported from the AppData user folder, like the one above:
Another way is to monitor all the registry keys being set with debugger
IOC:
185.172.25.13
245addb0e7b0d9f63e8a63efb8c77ffdc4e39cb2ddbbe8a138f3203e7458caf5
