TENERIFE–Researchers have uncovered a multi-platform backdoor called Adwind that is being sold as a tool for cybercriminals who have used it to infect banks around the world.
The backdoor has been in use for several years and the criminals behind it have gone through several different iterations. Adwind is the most-recent version of the backdoor and researchers say that it’s used in targeted attacks and doesn’t have the ability to self-infect computers. The attackers must rely on victims opening a malicious .JAR attachment.
The Adwind malware, which also is known as Alienspy, has a variety of capabilities, including keystroke logging, password stealing, taking screenshots, recording sound from the machine’s microphone, and stealing keys for cryptocurrencies. Adwind is sold on a subscription basis, and researchers at Kaspersky Lab, who analyzed the malware, say it could be making the criminal behind it as much as $200,000 a year.
“It has a large user base and it’s being used in a lot of different countries,” Vitaly Kamluk, a researcher at Kaspersky, said at the company’s Security Analyst Summit here Monday.
A bank in Singapore that was infected with Adwind shared a sample of the malware with Kaspersky’s researchers, who dug into the code. The malware works on a number of platforms, including Windows, OS X, Android, and Linux. That kind of cross-platform capability is relatively rare, but Kamluk said he expects that to change soon.
“We should expect more and more cross-platform RATs,” he said. “They will become standard.”
The attackers who are using Adwind don’t use zero day vulnerabilities to infect target machines. Rather they rely on the tried-and-true method of spear-phighing with malicious attachments.
“Adwind doesn’t self-infect computers or spread automatically. It relies on user interaction: double-clicking the .JAR attachment in the email or doing the same from an archive. Alternatively, it can be spread via other containers like .hta or .vbs files, which install Java if it’s not available on the system and download the main Adwind.JAR file from a remote server,” an FAQ on the malware says.
Kamluk said the Adwind malware has become a favorite of some Nigerian attackers, who are switching from their old email scams to malware attacks.