Sunday, November 19, 2017

Detecting Adwind malware weaponized in MS office documents

In a daily basis I see lot of Adwind malware trying to infect end users

Adwind is a multiplatform Remote Access Trojan (RAT) which has been in the wild for some time. In this Kasperky Blog post there is a good historical analysis.

In most of the cases Adwind is delivered as an attachment via email (as ZIP or JAR file), but it is not the only way.  I've dealt with incidents involving Adwind where the infection vector was a malicious link.

Other potential infection vector is via weaponized MS office documents. Some of this weaponized document have really low detection rate, like the one above, which it is only detected by 20% of the Antivirus at the moment of this writing and 8 AV (from of a total of 60) when the file was originally reported


The malicious payload, a JAR file, is included in the MS office Document as an OLE object.

This can be seen doing some manual analysis on the file:

A Simple Use Case to detect the malware is to monitor any process spawned by MS Office, in this case it is a Java Process

In terms of persistence, the malware can be detected easily, as it creates an entry in the registry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run " pointing to a java executable which it is allocated in the the AppData directory of the user:

This can be easily hunt with a remote PowerShell query, like the one below

Adwind malware kills massively processes relates to Antivirus and monitor tools, which can be also a good indicator for detection

To avoid those processes to be executed again the malware uses an interesting trick. It includes the processes in the registry key as 'debugger=svchost.exe' using the "Image File execution Option". This technique is described in this blog post

This can be spotted straight forward with a query, checking any registry imported from the AppData user folder, like the one above:

Another way is to monitor all the registry keys being set with debugger