Java-based Trojan was used to attack over 400,000 systems

The Adwind/AlienSpy RAT is back in action as the JSocket malware-as-a-service platform

A cross-platform remote access Trojan that's being openly sold as a service to all types of attackers, from opportunistic cybercriminals to cyberespionage groups, has been used to attack more than 400,000 systems over the past three years.

The RAT (Remote Access Tool/Trojan), which depending on the variant is known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or JSocket, is evidence of how successful the malware-as-a-service model can be for malware creators.

Adwind is written in Java, so it can run on any OS that has a Java runtime installed including Windows, Mac OS X, Linux and Android. The Trojan has been continuously developed since at least 2012 and is being sold out in the open via a public website.

Like most Trojans, Adwind can be used to remotely control infected computers; to steal files, key strokes and saved passwords; to record audio and video through the computer's webcam and microphone and more. Because it has a modular architecture, users can also install plug-ins that extend its functionality.

The Adwind author, who researchers from Kaspersky Lab believe to be a Spanish-speaking individual, is selling access to the RAT on a subscription-based model, with prices ranging from $25 for 15 days to $300 a year. The buyers get technical support, obfuscation services to evade antivirus detection, virtual private network accounts and free scans with multiple antivirus engines to ensure that their sample is not detected when deployed.

Kaspersky Lab estimates that since 2013, attackers have attempted to infect over 440,000 systems with various versions of Adwind. Between August and January alone, attackers used the RAT in around 200 spear-phishing campaigns that have reached over 68,000 users.

The latest incarnation of Adwind was launched in June 2015 under the name JSocket and is still being sold.

"In 2015, Russia was the most attacked country, with UAE and Turkey again near the top, along with the USA, Turkey and Germany," the Kaspersky researchers said in a blog post.

They estimated that by the end of 2015 there were around 1,800 Adwind/JSocket users, putting the developer's annual revenue at over $200,000. The large number of users makes it hard to build an attacker profile. The RAT could be used by anyone from low-level scammers to cyberspies and private individuals looking to monitor their partners or spouses.

In December, researchers working with the Citizen Lab at the University of Toronto's Munk School of Global Affairs documented the activities of a group of attackers that targeted politicians, journalists and public figures from several South American countries. An earlier version of Adwind, called AlienSpy, was listed as one of the malware tools used by the group.

Kaspersky Lab itself started a detailed investigation into Adwind after a financial institution in Singapore received the RAT via rogue emails that were purporting to come from a major Malaysian bank. This was part of a targeted attack that the company believes was launched by a suspect of Nigerian origin who focuses on financial institutions.

"Despite several attempts to take down and stop the Adwind developers from distributing the malware, Adwind has survived for years and has been through rebranding and operational expansion that ranged from the provision of additional plugins for the malware to its own obfuscation tool and a even a warranty for FUD (fully undetected malware) to customers," the Kaspersky researchers said in a research paper.

Since Adwind is written in Java, it is distributed as a JAR (Java Archive) file and needs the Java Runtime Environment (JRE) to run. One possible method to prevent its installation is to change the default application for handling JAR files to something like Notepad. This will prevent the code's execution and will just result in a notepad window with gibberish text in it.

Of course, if JRE is not needed by other applications installed on a computer or by websites visited by its users, then it should be removed. Unfortunately that's not possible in most business environments, as Java is still a major programming language for business applications.

Join the CSO newsletter!

Error: Please check your email address.

More about KasperskyLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place