US petroleum industry entities are targeted by attackers with a new Adwind Remote Access Trojan (RAT) variant featuring multi-layer obfuscation and delivered via a malspam campaign designed to infect targets through malicious attachments or URL redirections to payloads.

Adwind (aka jRAT, AlienSpy, JSocket, and Sockrat) is a cross-platform (i.e., Windows, Linux, macOS) RAT provided by its developers to various threat actors under a malware-as-a-service (MaaS) model.

While the RAT can avoid being detected by some anti-malware solutions, behavior- and sandbox-based antivirus software should be capable of identifying and block it successfully.

Adwind OS checks

RAT payloads delivered via nested JARs

"The majority of these campaigns are delivered through phishing emails. During our analysis of the campaign, we could not obtain the email samples; we could only retrieve the JAR malware samples," Netskope information security researcher Abhinav Singh told BleepingComputer.

Netskope was able to discover 20 malware samples hosted using compromised Westnet user accounts—an Australian Internet service provider (ISP)—with many of the samples having multiple file extensions to confuse the targets, to take advantage of Windows' default option of hiding known file types, or both.

"The samples are relatively new and implement multi-layer obfuscation to try to evade detection. We found 20 RAT samples hosted on the serving domain and spread across six directories, all hosted within the last month."

What makes this Adwind variant stand out are the newly added obfuscation techniques and the multi-stage infection process where multi-nested JAR files are used to conceal the malware's presence, much like using a Matryoshka doll with the RAT payload being the doll at the core of the set.

Adwind infection chain

"The Jar payload is detected as ByteCode-JAVA.Trojan.Kryptik and the final embedded DLL(step 5) is detected as Gen:Variant.Application.Agentus.1," added Singh.

After the Adwind RAT payload is loaded and linked on the compromised machines by the Adwind class loaded in step 3, the malware will reach out to the command and control (C2) server and, once it connects, it will start

"We deem it to be an attack on the petroleum industry because the different samples of the RAT were all captured from tenants that operate in this industry," Singh told us.

The pattern of targeted attacks was observed after a sudden spike in alerts triggered by detections of the JAR payload designed to distribute this new Adwind variant and the final embedded RAT DLL.

"This leads us to believe that the campaign specifically targeted this particular business vertical," added Singh.

Indicators of compromise (IOCs) including malware sample hashes of the various JAR payloads used in these attacks, as well as IP addresses and domains of C2 and malware delivery servers and pages are available at the end of Netskope's latest Adwind report.

A busy RAT

The Adwind RAT makes it possible for its operators to infect their targets' computers without triggering anti-malware alerts, to steal sensitive info like VPN certificates and credentials from web browsers including Chrome, Internet Explorer, and Edge, as well as to collect and exfiltrate the victims' keystrokes.

The RAT is also capable of recording video and sound, and to snap photos using the infected system's webcam, as well as to mine for cryptocurrency and harvest crypto wallet info.

Adwind has been active since 2013, with the RAT having previously been observed in attacks against thousands of individuals and entities from a wide range of industries, including finance, energy, telecom, software, and government among many others.

Last month, researchers with the Cofense Phishing Defense Center observed another Adwind campaign targeting firms from the utility industry via a phishing campaign that also used URL redirection to malicious payloads.

Previously, in March, Netskope researchers observed active attacks in enterprise cloud environments on retail and hospitality industry companies also delivering Adwind RAT payloads.