JBiFrost is back: phishing emails spread a version of Adwind RAT

Adwind RAT variant JBiFrost was spotted spreading via malicious spam emails

Adwind Remote Access Trojan (RAT) is back. Its variant JBiFrost has been noticed spreading via spam emails that contain a link to Dropbox. The link redirects to “PAYMENT SWIFT COPY_Parimex USD_39,814-15_pdf.jar” document which drops malware on the system immediately.

Cyber criminals still rely on phishing as the main malware distribution method. This time they send emails with subject line “payment swift copy-USD-39,814-15.”^[1] The letter itself asks to check payment information in the attached file:

Dear Sir

Please find herewith the attached file of payment swift copy-USD-39,814-15. Please acknowledge receipt it.

Best Regards

https: //www.dropbox [.] com / s / 6etniblieaywcpm / PAYMENT% 20SWIFT% 20COPY_Parimex% 20USD_39% 2C814-15_pdf.zip? dl = 3D1

As you already know, the Dropbox link leads to an obfuscated file which downloads malware on the system. When users click on a link, they activate a malicious zip file with an infected document in the .jar file which is an archive that allows executing Java programs.

Soon after the infiltration, JBiFrost RAT malware connects to its Command & Control server. When communication is established, cyber criminals get remote access to the affected machine and can steal personal information, open backdoor to other malware, read, write or even delete files.

Adwind RAT emerged in 2012

Adwind malware is known for several years as the most actively deployed remote access trojan. RAT was first detected in 2012 under the name of Frutas RAT. However, after the year of malicious activities, it was rebranded and named as Adwind in January 2013. Security researchers stuck to this name, but criminals decided to alter it a couple of times again

The trojan was renamed as Unrecom in February 2014, and a couple of months later, in October, it was rebranded as AlienSpy. Furthermore, crooks created another variant called JSocket RAT in June 2015, which was shut down.^[2]

However, criminals needed only a few months to create a new variant of Adwind after JSocket was deactivated. JBifrost RAT appeared on May 15, 2016,^[3] and continued malicious activities since this day.

Malware is known as a backdoor trojan which can affect devices with Windows, Linux, Mac OS X and Android operating systems. It is known as a cross-platform and multifunctional cyber threat that can:

• steal personal information, such as passwords, saved data from web forms, and other user’s information;
• collect keystrokes;
• harvest system-related information;
• take pictures and record videos with affected device’s webcam;
• record sound with device’s microphone;
• take screenshots;
• transfer files;
• steal keys for cryptocurrency wallets;
• steal VPN certificates.

Adwind malware targets companies, organizations, and private users

During its lifetime Adwind virus^[4] caused most of the problems for business sector and organizations. According to various research data, malware targets manufacturing, shipping, engineering, energy, aerospace, finance, healthcare, retail, design, telecom, media, software, food production, education and government sectors.

Adwind RAT attacked companies and organizations in the USA, Germany, Italy, Turkey, Russia, United Arab Emirates, India, Hong Kong, Vietnam, and Taiwan. However, it does not mean that malware cannot spread further to other countries.

Users and infrastructures are reminded to be careful with received emails and do not rush opening their attachments. It’s important to make sure that payment, invoice or other important document is actually safe to open.^[5]