Rewterz Threat Alert – Adwind jRAT Campaign Targets Banks in India

Severity

Medium

Analysis Summary

Researchers observed a COVID-19 themed spear-phishing email targeted towards co-operative banks in India. Appearing to come from a large Indian bank and aimed towards smaller co-operative banks, the body of the email claims that the attached file contains information regarding measures related to COVID-19. The attachment is a ZIP archive masquerading as a spreadsheet or PDF. Inside the archive is a JAR file that similarly attempts to hide as a spreadsheet or PDF. This JAR file acts as a first-stage, dropping and executing the second-stage JAR. It also establishes persistence via a Registry Run key. The second-stage payload is the Adwind jRAT and provides the main malicious functionality. It communicates with its C2 server on a non-standard port. Once connected to its C2, it can receive a variety of commands that provide extensive remote access capabilities. Specifically, it can download and execute additional payloads, capture screenshots, provide remote desktop access, perform file operations, and more.

Impact

• Information theft
• Financial loss

Indicators of Compromise

MD5

• D7409C0389E68B76396F9C33E48AB72B
• 09477F63366CF4B4A4599772012C9121
• 8C5FFB7584370811AF61F81538816613
• 01AB7192109411D0DEDFE265005CCDD9
• 0CEACC58852ED15A5F55C435DB585B7D

SHA-256

• 0ad602eeba1970ed5230bb59ad1e197c3bd3d28bb57a62dd418dd2c7ddeddb9f
• c50b9aaadf69c7ce1112d8d9b00ed9dacb15a2873ab17161e42a9f5d96658e54

SHA1

• e0d2f14f4c2b19d7fd994279ba329cadd20f6d0f
• cb347f131b133b187808ff72cab80a5be420f552

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders. 
• Never click on the links/attachments sent by unknown senders.
• Search for IOCs in the existing environment.