According to reports by various security researchers, an “unusual” cross-platform Java-based remote access trojan (RAT) has been spotted, that is believed to have infected 443,000 victims between 2013 and 2016.
This was best explained by the blog post by Alexander Gostev and Vitaly Kamluk, the chief security expert and director of the global research and analysis team at Kaspersky Lab APAC, which said,
“The malware sample we received was sent by email to some banks in Singapore on behalf of a major Malaysian bank. The IP address of the e-mail senders points to a server in Romania while the mail server and account used to belong to a company located in Russia.“
The Trojan, Adwind RAT, is sent via the payload of a phishing campaign’s malicious email attachment. It is also known as AlienSpy, JSocket, and jRat.
After getting executed, the malware can collect keystrokes, take screenshots, steal cached passwords, collect user information, and even manage the SMS on an Android device.
Alexander Gostev believes that this represents a worrying trend and said,
The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cyber crime. What we can say based on our investigation of the attack against a Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform’s ‘clients’ have that level of computer education.
The malware dates back to at least 2012 and had effected 443,000 victims the RAT since 2013, with 60 companies in manufacturing, finance, engineering, retail, government, shipping, telecommunications, software, education, food production, healthcare, media, and energy among the top targets.
At present, RAT’s author has changed the name to “JSocket” and now is selling the service for $30 a month or $200 for an unlimited use license via an open website.
