architectvur.blogg.se - What is filezilla bundled wit

Perform remote shell and control victim’s system.

Service manipulation (stop, start, create and modify).

Process manipulation (execute and terminate).

Registry manipulation (read, write and manipulate).

XTRAT shares similar capabilities with Adwind, such as information theft, file and registry management, remote desktop, etc.

Uploading, downloading, and executing files.

Adwind, which has been in the wild since 2013, can run on all major operating systems (Windows, Linux, MacOSX, Android) with Java and is known for its diverse backdoor capabilities such as (but not limited to): Notably, Adwind and XTRAT connect to the same C&C server: junpio70hoptoorg. The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Infection chain of the spam that delivers Adwind, XTRAT, and Loki Loki, a Trojan dropper, drops Adwind and XTRAT.įigure 3. When the exploited RTF document is executed, it downloads Loki from a compromised website (hxxp://steamer10theatreorg/wp-admin/js/eheexe).

RTF document that carries Adwind, XTRAT, and Loki The exploited RTF document (TROJ_CVE201711882.UHAOBGG) seen below delivered the bundled set of Adwind, XTRAT, and Loki.įigure 2. Adwind detections between January 1 and April 17, 2018 were found to be the most affected regions.įigure 1. The U.S., Japan, Australia, Italy, Taiwan, Germany, and the U.K. This year, we saw 5,535 unique detections of Adwind between January 1 and April 17. The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job. Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hoptoorg. The spam campaign also delivered the info-stealer Loki (TSPY_HPLOKI.SM1).ĭUNIHI (VBS_DUNIHI.ELDSAVJ), a known VBScript with backdoor and worm capabilities, was also seen being dropped with Adwind via spam mail in a separate incident. jRAT (detected by Trend Micro as JAVA_ADWIND.WIL) alongside another well-known backdoor called XTRAT a.k.a XtremeRAT (BKDR_XTRAT.SMM). We discovered a spam campaign that delivers the notorious cross-platform remote access Trojan (RAT) Adwind a.k.a. PDT to provide SHA-256 hashes instead of SHA-1 hashes.