An email phishing campaign launched this month attempted to infect spam recipients with the Adwind cross-platform RAT by fooling them into thinking they received an important financial document from the SWIFT financial messaging system.
According to a 21 February blog post from Comodo Group's Threat Research Lab, the spam messages falsely alerted recipients to a wire bank transfer made to their designated bank accounts, and advised them to review an attached document to ensure there are no discrepancies. However, this supposedly legitimate pdf.z was is actually Adwind, which goes by jRAT, AlienSpy, Frutas, and other nicknames.
Comodo explains that disguising malicious emails as SWIFT communications is particularly effective because money can sometimes provoke can emotional response that overrides critical thinking, making it more likely someone will open the attachment.
“If an employee receives an email, they will be afraid to not open it,” the blog post states. “What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow.”
Company researchers suspect that Adwind was likely used in this instance to spy and perform reconnaissance on victims, as well as to download additional malware programs based on what attackers were able to learn about the infected environments.
Taking place on 9 February, this particular attack campaign displayed a Turkish contact address as well as the email sender address JoeH@snovalleyprocess.com, and stemmed from IP addresses located in Cyprus, the Netherlands and Turkey.
“As we see, cyber-criminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise's network,” said Fatih Orhan, head of Comodo Threat Research Lab, in the blog post. “They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in.”