Kaspersky Lab has revealed that the Adwind malware-as-a-service platform was at the centre of an attack on a Singapore bank
A bank in Singapore has been targeted by cyber criminals using a
malware-as-a-service platform that enables people with low-level
computer skills to launch attacks against organisations.
“The malware’s rich capabilities, including its ability to run on multiple platforms as well as the fact that it was not detected by any antivirus solution, immediately captured the attention of the researchers.”
The researchers found that the unnamed Singapore bank had been attacked with the Adwind Remote Access Tool (RAT), a backdoor available for purchase and written entirely in Java, which makes it cross-platform.
The researchers said that Adwind could run on the Windows, OS X, Linux and Android platforms. Its capabilities include remote desktop control, data gathering and data exfiltration.
According to the results of investigations between 2013 and 2016, different versions of the Adwind malware have been used in attacks against at least 443,000 individuals, as well as commercial and non-profit organisations around the world.
Armed and active
The platform and the malware are still active. It is also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, and is distributed through a single malware-as-a-service platform.Kaspersky Lab analysed nearly 200 examples of spear-phishing attacks by unknown criminals to spread the Adwind malware. It identified manufacturing, finance, engineering, design and retail among the most targeted sectors.
“The identification of this malware reminds me of the DireWolf attack discovered last year, which specifically targets corporate banking accounts and stole more than $1m from unsuspecting companies,” said Cathy Huang, research manager Asia-Pacific services and cloud research group at IDC.
Threat as a service
According to Kaspersky Lab, the Adwind RAT is different from other commercial malware in that it is distributed openly in the form of a paid service, where the ‘customer’ pays a fee in return for use of the malicious program. Kaspersky Lab researchers estimate that Adwind had around 1,800 users by the end of 2015, making it one of the biggest malware platforms in existence today.Aleksandr Gostev, chief security expert at Kaspersky Lab, said: “The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cybercrime.
“What we can say based on our investigation of the attack against the Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform’s ‘clients’ are not computer experts. That is a worrisome trend.”
Authorities seem helpless
Huang said: “What surprised me is the fact that Kaspersky Lab seems to have been thoroughly studying this Adwind RAT malware since 2012, yet the good guys, including law enforcement, can do little to effectively control the malware platform and contain it.“In addition, regardless of how much cybersecurity investment the banks have put in, it’s only a matter of time before their systems are breached. Often, a malware attack becomes effective because of human error – for example, staff click on a phishing email.
“We believe that while banks need to continue their technology investment to ensure a sound cybersecurity posture, it is also very important to constantly educate users to become more cyber-aware. After all, you cannot only rely on technology to solve the issue.”
McAfee Labs researchers recently identified a rapid increase in the number of .jar file samples identified as Adwind, with 7,295 in the last quarter of 2015. That’s 426% more than in the first quarter of 2015.
computerweekly