The malware economy is still alive and well. Cybercriminals continue to turn their attention to more targeted attacks with a smaller infrastructure to carry out. Phishing emails remain a preferred attack vector for malicious actors focused on getting access to users’ valuable data.
Security researchers recently saw and analyzed a targeted spam campaign in which cybercriminals try to lure victims into clicking on a malicious link.
In the observed attack, the spam email is carried with the following content:
From: [Spoof / Forwarded Sender Address]
Subject Line:
payment swift copy-USD-39,814-15
Content (sanitized for your own protection):
“Dear Sir
Please find herewith the attached file of payment swift copy-USD-39,814-15. Please acknowledge receipt it.
Best Regards
https: //www.dropbox [.] com / s / 6etniblieaywcpm / PAYMENT% 20SWIFT% 20COPY_Parimex% 20USD_39% 2C814-15_pdf.zip? dl = 3D1 “
If the users click on the link pointing to Dropbox and activate the archive, they will receive a malicious zip file containing the following content: “PAYMENT SWIFT COPY_Parimex USD_39,814-15_pdf.jar”
A JAR (Java ARchive) is actually a ZIP file used by the Java Runtime Environment (JRE) framework to execute Java programs.
During this spam campaign, if the .jar file is run by an invisible recipient and a javascript translator is installed on the targeted machine, cybercriminals will “drop” the malicious JBiFrost RAT on the hard drive.
JBiFrost is a an Adwind RAT version that has been rebranded by the malicious actors behind it and made its appearance to the malware market in 2016.
This variant of RAT is configured to communicate with the following C & C server on this domain (sanitized for your safety) vvrhhhnaijyj6s2m.onion [.] Top. With the help of a RAT, attackers can remotely access the file system to read, write or delete files.
The objective of this type of attack can be to exfiltrate data from compromised systems and to open a backdoor which lets online criminals to feed more malware into the targeted machines.
According to VirusTotal, only 17 antivirus products out of 61 have managed to detect this spam campaign at the time we write this security alert.
Heimdal Security proactively blocked these malicious domains, so all our Heimdal PRO and Heimdal CORP users are protected.
How to prevent being infected with Adwind RAT
This type of malware can evades detection in the first place, so it’s essential to take all the security measures needed to keep your data safe.
- Keep your operating system, including all your apps and software programs, up to date, because it’s the first place where malicious actors can exploit vulnerabilities.
- Once again, we remind you: DO NOT open emails or click on files/attachments that look suspicious to you;
- Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Use this guide to learn how to do it;
- Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
- It would be safer to add multiple layers of protection and use a proactive cyber security software solution;
- Prevention is the best cure, so learning as much as possible about how to easily detect spam emails is always the right mindset. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.
Stay safe!
*This article features cyber intelligence provided by CSIS Security Group researchers.
Article Source : http://ift.tt/2tqXF9b