AdWind
Intelligence Profile
Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates
Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware
Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run
Hiding
Uses attrib.exe
Notes on Adwind
The malware is not known to be proxy aware
Threat Analysis
AdWind is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.