We have recently noticed a run of what we were detecting as Turkish-language Adwind hitting UK and US enterprises in the transportation and IT industries. Adwind is a java-based, platform-independent RAT capable of infecting multiple platforms and has been established to be a further evolution of Unrecom and Frutas. You can see our previous Fidelis Threat Advisory on Unrecom here. In light of the recent discussions on njRAT building on research published by others and our Threat Advisories (FTA #1009, FTA #1010), we thought it would be worth noting global runs involving other malware popular in the Middle East. This post will highlight some of the tactics used and provide IOCs for the community to use.
The delivery mechanism is largely the same, filenames purporting to be purchase orders, lists, delivery notifications and more recently, tax-related lures ending with a .jar extension. In some cases, however, web-based infection models were seen. The Turkish language versions followed the same model and courtesy of Google Translate we were able to glean they used the same lures. Searching on those filenames indicates that this particular actor or actors have been sending these lures out since June 2014.
As of this blog post, VirusTotal reports a majority of AV vendors do not detect this threat.
By extracting the config files we were able to determine the C2 information of the various samples, mostly pointing to dynamic DNS hostnames.
The functionality is generally what you would expect for a RAT, keyloggers, capturing webcams, remote desktop and web browser password recovery. There are even tools to use this RAT on Android-based devices.
Here is a list of indicators for this post:
C2 hostnames (all these samples use port 1991 and 1992):
goldlojistik [dot] com
surumatla [dot] com
surumlericek [dot] com
Current IP addresses:
goldlojistik.com. 40 IN A 184.108.40.206
surumatla.com. 59 IN A 220.127.116.11
surumlericek.com. 345 IN A 0.0.0.0