Adwind

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.

  • Type
    Trojan
  • Origin
    Likely Mexico
  • First seen
    1 January, 2012
  • Last seen
    22 November, 2019
Also known as
Unrecom
Sockrat
Frutas
jRat
JSocket
Global rank
10
Week rank
15
Month rank
17
IOCs
1066

What is Adwind malware?

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.

First identified in January 2012, Adwind can’t be called a new malware, but despite the age, it managed to become extremely popular. In fact, in 2015 over 1,800 people have purchased Adwind on its “official” website, making the site one of the most popular malware distribution platforms in the world. It should be noted, that Adwind poses danger to users of all major operating systems including Windows, Mac OS X, Linux, and BSD.

General description of Adwind

Initially discovered for the first time in 2012, the malware was known as Frutas at that time and presumably originated in Mexico. For the initial year of Adwind’s existence, the creator released multiple versions which were all distributed on Spanish hacker forums for free.

The feature-set of the original version was somewhat limited as compared to the latest iteration of the virus. As such, in 2012 Adwind RAT could capture screenshots, steal passwords from selected online services, open specific web pages and take screenshots, as well as display pop-up messages.

In 2013, creator of the malware released a new version, changing its name to Adwind. The new version added support for Android OS and started to gain traction outside of the Spanish hacker community, becoming a popular tool worldwide. Following the popularity of the malware, the author has set up a YouTube channel to post tutorials for other cybercriminals. During the same year, the first ever case of Adwind malware being used in a targeted attack was documented in Pacific Asia. In November 2013, the malware was rebranded as UNRECOM and sold to a Unrecom Soft. The rebranded version of Adwind retained all functionality of the previous iteration.

In 2014, the source code of Adwind was leaked and became available online free of charge, becoming a popular tool among cybercriminals who widely used the cracked versions in attacks during the years 2014 and 2015 further contributing to the overall popularity of Adwind. In response to the leak, “official” version of Adwind Trojan was significantly upgraded and re-released as AlienSpy in October 2014. This version of the malware learned to auto-detect sandboxes, gained cryptographically secured communication with the control server and became capable of detecting and disabling antiviruses.

Finally, in 2015, the malware was renamed once again, becoming a JSocket RAT. As a malware-as-a-service, Adwind RAT is sold to users for a fixed fee that is charged monthly as a subscription and could be purchased at JSocket.org until the website became unavailable. The price depends on the package which the user chooses.

It should be noted that Adwind requires active actions from the potential victim in order to start the execution process. As such, being delivered in a malicious .JAR file, the malware won’t be able to execute itself until the victim double-clicks on the attachment.

Adwind malware analysis

ANY.RUN interactive service enables researchers to view the execution process of Adwind Trojan in a secure environment in multiple formats, including video.

adwind execution process graph

Figure 1: Visual process graphs generated by ANY.RUN help to simplify and speed up research work

text report of the adwind malware analysis Figure 2: ANY.RUN creates customizable text reports allowing researchers to share the results of the simulation easily

Adwind execution process

In the case of our simulation, after a user opened the malicious .jar file, the malware started execution through Java virtual machine. This initial process executed js script which in turn ran one more js script and another .jar file.

JS script also used Task Scheduler to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, changing the autorun value in the registry and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on. It should be noted that this malware doesn't work without installed Java.

How to avoid infection by Adwind?

Exhibiting caution when handling emails from unknown senders is a reliable way to prevent the contamination since Adwind requires a victim to interact with the malicious file in order to enter an active phase. Therefore, never downloading attachments in suspicious emails is a sure way to stay safe. In addition, preventing .JAR files from running in %AppData%[random folder name], and prohibiting the creation of .JAR in the same folder can be considered a good security measure.

Distribution of Adwind

Adwind is distributed in mail spam campaigns and has two general attack vectors. It can be delivered to the victim's machine as an email attachment in the form of a malicious file such as a PDF or a Microsoft Office file.

The other attack vector is a malicious URL which redirects the victim to a website from where Adwind is downloaded.

How to export process graph from the analysis of Adwind malware using ANY.RUN?

Analysts can export process graph from a task to SVG format if they want it to share. Just click on the "Export" button and choose "Export Process Graph (SVG)" in the drop-down menu.

adwind process graph Figure 3: Adwind's process graph exported in SVG format

Conclusion

Distributed as a malware-as-a-service, Adwind has become one of the most popular RATs and targets users of all major operating systems worldwide.

Not only is the “official” paid version of the malware is known to have created a massive following, but several slightly outdated, but still very powerful cracked, free-to-use versions are readily available online on the underground hacking forums. As a result, today Adwind remains to be a serious, active and, perhaps, even growing threat.

IOCs

IP addresses
79.134.225.104
85.217.171.128
79.134.225.83
79.134.225.121
79.134.225.105
79.134.225.70
185.165.153.227
79.134.225.99
79.134.225.75
79.134.225.95
185.140.53.90
79.134.225.71
185.101.94.172
185.244.213.83
185.165.153.175
172.94.47.73
213.208.152.216
185.165.153.34
172.111.141.34
85.217.170.213
Hashes
df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
0cf873f1cb546239aca250821adff0482a746736e0a47887416a0d7a8c13085b
78c22b0bdb48269bf06e521c6dd960616eda9fa8592a81591a4b49f8f1c1162a
0bbe535928fd8c85cda0abfdc17271b26460fad8fadbcbe9480159040112bd07
bb571b783085607971882f2ff832698db7508727066c5481455a4ecd4dec8174
66d6909833dbaa8a9b3fcc5055683455ea5d7e135cfb84416d30c1d2de2da208
fc14e804068d0ae448b05ffa99188fa52a84e01f5a3aaa2d86bce99f50ffdff7
a185cca00cfaeab4a21d80c3582e7ceee3827683b23caac341fe04bf8497e913
Domains
majul.com
fucktoto.duckdns.org
isns.net
ipvhosted.duckdns.org
mrmarkangel.duckdns.org
info1.duckdns.org
slimyuyo.duckdns.org
moran101.duckdns.org
avt.duckdns.org
windowshelp1234.duckdns.org
westernautoweb.duckdns.org
galakhov.duckdns.org
powerpower19.duckdns.org
duruawka.ddns.net
0000rrrvvv.duckdns.org
fresh21.duckdns.org
fresh22.duckdns.org
remcoss.onmypc.org
linkadrum.nl
elumadns.eluma101.com

HAVE A LOOK AT

AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More