A form of trojan malware that has been used by cybercriminals to steal connection credentials and other information from victims for over five years has been updated with the ability to hide using legitimate commands Java to cover up his malicious behavior.
Adwind remote access trojan (RAT) - also known as AlienSpy and jRAT - first appeared on 2013 and is available as a service to criminals who want to use their credentials, keylogging, audio recording and other anti-malware capabilities.
Now a new variant of malware has appeared, which seems to specifically target the Windows and common Windows applications, including Internet Explorer and Outlook, along with Chromium-based browsers such as Brave - released only this year.
In more detail from Menlo Security researchers, Adwind's latest incarnation is provided by a JAR (Java File), with its malicious intent hidden behind many levels of packaging and encryption to make signature-based caching ineffective.
Once malware unpacked a list of command and control server addresses, Adwind is enabled and able to receive commands and send stolen items to servers, including bank credentials, links to their applications operational and the passwords stored in one Browser.
This latest version of Adwind also hides its behavior while simultaneously acting like any other Java command, allowing activity to be displayed without being detected.
The authors do this by hiding malicious JAR files among many legitimate JAR applications, using encryption to make it difficult to detect the original JAR file and to load additional JAR files from a remote server. All this makes it difficult to detect abnormal activity.
“It's like being in a crowd of millions of people and trying to pick the one who wears a green t-shirt without being able to look under people's jackets. There is nothing suspicious about his existence, his appearance or even his original behavior, it seems normal. "Said Krishnan Subramanian, a security researcher at Menlo Labs.
However, Adwind lets his mask slip in one way: when he sends stolen credentials on a remote server, it uses commands that are not related to Java - although as soon as the malware sends information to the intruders, it's done. “From the perspective of crawling, visibility into online and electronic traffic is essential. These jRAT file names appear to have a template using common financial terms such as "Remittance", "Payment", "Advice". check the file name of a Java Application before invoking it, "Subramanian said.