Security researchers have discovered a new version of the Adwind remote access trojan (RAT) that has been targeting Windows applications and Chromium-based browsers, such as Google Chrome.
The malware uses Java to take control and collect data from a user’s machine, particularly its login credentials. Researchers said that using common Java functionality makes the malware difficult to detect or detonate in a sandbox as it is so common.
"In fact, any effort to block or limit Java would result in much of the internet breaking down -- a non starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities," researchers said in a blog post.
The latest variant appears to be targeting Windows machines and common Windows applications such as Explorer and Outlook as well as Chromium-based browsers. The malware is a JAR file delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content.
Researchers saw that many infections originated from outdated and illegitimate WordPress sites.
The new variant works by obfuscating the initial JAR file, which makes any static signature-based detection ineffective. The initial JAR decrypts and reflectively loads the Qealler Header class, which then decrypts and reflectively loads the Loader Class. The Loader Class then decrypts and reflectively loads the initial set of modules and calls the Main Class, which is responsible for initialising the RAT with the control and command server, according to researchers.
It is then able to decrypt a config file to get a list of C2 server IP addresses. An address is selected, and an AES encrypted request is made via TCP port 80 to remotely load a set of additional JAR files.
Once downloaded, the JAR files activate the jRAT, which becomes fully functional and is able to send a command and control request to access and send credentials from the browser and various applications to a remote server. These credentials can include personal bank credentials or business app logins -- basically any password saved in a browser or application running on Windows.
The trojan is able to mask its behavior by acting like any other Java command, researchers said.
"Without dynamic construction of the initial JAR file, threat intelligence has very little or no heuristics with which to create a static rule or signature that can effectively detect the initial JAR payload among the millions of Java commands flowing in and out of the corporate network," said researchers.
"It’s like wading through a crowd of a million people and trying to pick out the one person wearing a green undershirt without being able to look under people’s jackets. There’s nothing suspicious about its existence, its appearance or even its initial behavior. Everything about it seems normal."
John Handelaar, VP EMEA at Gurucul, told SC Media Uk that the only way to quickly identify and block this sort of attack would be by using behaviour analytics, which helps to spot the anomalous behaviour, as well as the use of automation and orchestration to automatically block the transactions or traffic flow.
"When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time. Many organisations don’t have the ability to identify subtle behavioural anomalies that are indicators of cyber-threats. But with advanced machine learning algorithms, it’s possible to spot behaviours that are outside the range of normal activities and intervene before the damage is done," he said.