Threat Alerts

Stopping Remote Access Trojans (RATs) in their tracks with OpenText MDR

In 2012, we saw the first release of the Adwind malware family which were Java-based remote access tools (RATs) called “Frutas”.  Since then, it has been rebranded several times with names such as Adwind, UnReCoM, Alien Spy, JSocket, JBifrost, UnknownRat, and JConnectPro. 

The OpenTextTM MDR has seen infections from the Adwind RAT family as recently as January, 2022. 

Adwind doesn’t self-infect computers or spread automatically. It relies on user interaction: double-clicking the .JAR attachment in the email, or doing the same from an archive.  

Alternatively, it can be spread via other containers like .hta or .vbs files, which install Java if it’s not available on the system and download the main Adwind.JAR file from a remote server. 

OpenText consistently researches how Remote Access Trojans (RAT) and other malware affect and interact with the endpoint for the best detection techniques. For this blog, we ran this malware in our test environment and next, we will walk through it and see what it looks like in the DEVO Security Information Event Management (SIEM) platform.  

We have several types of alerts that would trigger on this event at different stages of the infection. 

Once an alert is triggered in DEVO, we can track it from the alerts page as seen in Fig 1.

Here in the alerts page, we see “Wscript executing an EXE file”. In a real scenario, the RAT could have been introduced to the network via spam campaigns, fake software updates, trojans or untrustworthy software download sources. 

This tells us that if the ParentProcess is Wscript and it is running an executable other than Wscript, then trigger the alert. In the alert itself, we see that user robert.tompson on host FRONT-OFFICE4 clicked on a disguised .jsr file. This action ran Java, which ran the script krmfoicaw.txt. 

Initial Infection: 

Next, we will go to this event in the DEVO view of the Windows Event logs as seen in Fig 2 and track it there. 

Image shows the initial infection as an event in the DEVO view of the Windows Event logs.

Fig 2. 

Tactic, Techniques, and Procedures (TTP’s) observed during infection: 

  • ParentProcessName C:\Windows\explorer.exe 
    CommandLine “C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe” -jar “C:\Users\robert.tompson\Downloads\invoice.jar” 
    NewProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 
  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\robert.tompson\JVlpBjOuqsQ\.jar.Bttolj 
    NewProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 

In the log entries above, we see the Adwind dropper process. The user opened the Adwind .jar file and the malware started execution through Java virtual machine. This initial process executed the js script, which ran one more js script and another .jar file. 

  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine taskkill /IM UserAccountControlSettings.exe /T /F 
    NewProcessName C:\Windows\SysWOW64\taskkill.exe 
  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine taskkill /IM ProcessHacker.exe /T /F 
    NewProcessName C:\Windows\SysWOW64\taskkill.exe 
  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine taskkill /IM K7TSecurity.exe /T /F 
    NewProcessName C:\Windows\SysWOW64\taskkill.exe 
  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine taskkill /IM uiWatchDog.exe /T /F 
    NewProcessName C:\Windows\SysWOW64\taskkill.exe 
  • ParentProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 
    CommandLine taskkill /IM SUPERAntiSpyware.exe /T /F 
    NewProcessName C:\Windows\SysWOW64\taskkill.exe 

In the log entries above, we see that JS script also used Task Scheduler to run itself later. The Jar file runs a series of taskkill commands to shutdown processes based on a list containing names of particular system processes, common anti-virus programs, packet analysis and others. 

  • ParentProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 
    CommandLine attrib +h “C:\Users\robert.tompson\JVlpBjOuqsQ\*.*” 
    NewProcessName C:\Windows\SysWOW64\attrib.exe 
  • ParentProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 
    CommandLine attrib +h “C:\Users\robert.tompson\JVlpBjOuqsQ”  

NewProcessName C:\Windows\SysWOW64\attrib.exe 

In the log entries above, we see the RAT changing the folder and file attributes to; system, hidden, and read-only – using the attrib command. 

NewProcessName C:\Windows\SysWOW64\xcopy.exe 

  • ParentProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\java.exe 
    CommandLine cmd.exe /C cscript.exe C:\Users\ROBERT~1.TOM\AppData\Local\Temp\Retrive1361723543805738850.vbs 
    NewProcessName C:\Windows\SysWOW64\cmd.exe 

In the log entry above, we see that Adwind copies the related Java Runtime files to a temporary directory within the victim’s home directory using the xcopy command. 

  • ParentProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 
    CommandLine reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v lMpweJSGDjr /t REG_EXPAND_SZ /d “\”C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe\” -jar \”C:\Users\robert.tompson\JVlpBjOuqsQ\.jar.Bttolj\”” /f 
    NewProcessName C:\Windows\SysWOW64\reg.exe 

In the above log entry, we see that the RAT adds its file path to the HKCU Run registry key for persistence using the reg command. 

  • ParentProcessName C:\Program Files (x86)\Java\jre1.8.0_311\bin\javaw.exe 
    CommandLine C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\robert.tompson\JVlpBjOuqsQ\.jar.Bttolj 
    NewProcessName C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe 

In the above log entry, we see the RAT is then launched using javaw.exe so that there is no associated console window. 

DEVO view of network logs showing outbound communications as seen in Fig 3: 

DEVO view of network logs showing outbound communications.

Fig 3 

Network logs showing host communicating with Command and Control (C2) 

  • CommandLine C:\Users\robert.tompson\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\robert.tompson\JVlpBjOuqsQ\.jar.Bttolj 
  • Remote_IP 96.47.232.105 
  • Organization ASN-QUADRANET-GLOBAL 

As seen in the network log entry above, the Adwind RAT then communicates with its command and control (C2) server over SSL on non-standard ports with self-signed certificates. 

Adwind Indicators of Compromise (IOC): 

  • 655954e2d7d2e71f7c2cdcfb278f9154b94a50904ee3315824de204aa14e0100 
  • e5640e712ee54cb3526f815cba11e7acbdd715285055f3ae49db3106ec4e342f 
  • 0cf873f1cb546239aca250821adff0482a746736e0a47887416a0d7a8c13085b 
  • df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0 
  • 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2 
  • dc1c478b9929c6c826a534845e8274896943ff399bdc042b767b924f16a75a3b 
  • 78c22b0bdb48269bf06e521c6dd960616eda9fa8592a81591a4b49f8f1c1162a 
  • 1e9a8830a9434d709e168747576801b222ed5dfdc0f5fd57b89a018e8220a4c3 
  • 6bfe19f6d48ce694d9d8bd8134d445e4497d500dc7c38deb577a481e92406823 
  • 0bbe535928fd8c85cda0abfdc17271b26460fad8fadbcbe9480159040112bd07 
  • bb571b783085607971882f2ff832698db7508727066c5481455a4ecd4dec8174 
  • 66d6909833dbaa8a9b3fcc5055683455ea5d7e135cfb84416d30c1d2de2da208 
  • fc14e804068d0ae448b05ffa99188fa52a84e01f5a3aaa2d86bce99f50ffdff7 
  • a185cca00cfaeab4a21d80c3582e7ceee3827683b23caac341fe04bf8497e913 

Domains Associated with the Adwind RAT C2: 

  • majul.com 
  • isns.net 
  • www.ogbujpmoxi.cf 
  • toheeb.publicvm.com 
  • Blesseddon.dynu.net 
  • qxq.ddns.net 
  • alibabajob.duckdns.org 
  • moranhq.duckdns.org 
  • ssniper.duckdns.org 
  • pm2bitcoin.com 
  • jasoncarlosscot.hopto.org 
  • jaaav.ddns.net 
  • ml.warzonedns.com 
  • newlogs.ddns.net 
  • json.stringengines.com 
  • vemvemserver.duckdns.org 
  • olavroy.duckdns.org 
  • wcbradley.duckdns.org 
  • mothermaryblessme.duckdns.org 
  • powerpower19.duckdns.org 

If an organization is concerned they have been affected by a Remote Access Trojan (RAT), OpenText would recommend the following actions to be taken

  • Holding anti-phishing classes to teach the organization’s staff to use caution when handling emails from unknown senders. This is a reliable way to minimize contamination as the Adwind trojan requires a user to interact with the malicious file to enter an active phase.  
  • In addition, continuous monitoring of .JAR files from running in high risk locations such as %AppData%. 

The OpenText Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cyber security and privacy objectives. Contact us for more information. 

Author: John Minotti, Lead Consultant

Related Posts

Back to top button