Organizations in over 100 countries targeted by new backdoor attack

- Adrian Ungureanu
109

Russian IT security solution developer, Kaspersky Lab has detected a massive new hit by the Adwind Remote Access Tool (RAT). This multi-functional backdoor has been used in attacks against more than 1,500 organizations in over 100 countries and territories.

The attacks have impacted various industrial sectors, including retail and distribution (20.1%), architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%) and consulting (5%).
Adwind’s victims receive e-mails sent in the name of the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), with payment advice in the attachment. According to Kaspersky Lab research, the activity of this email domain can be tracked back to 2013.

Instead of instructions, the attachments contain the malware sample. If the targeted user opens the attached ZIP file, which has a JAR file in it, the malware self-installs and attempts to communicate with its command and control server. The malware allows the attacker to gain almost complete control over the compromised device and steal confidential information from the infected computer.

According to Kaspersky Lab researchers, since the victims include a high proportion of businesses, criminals could use industry-specific mailing list to target their attacks. Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology.