According to Kaspersky Lab, Adwind Remote Access Tool has been used by hackers to target over 1500 organizations in 100 countries and territories.
Among the victims, 20% of them were activating in retail and distribution accounting, 9.5% of them in architecture and construction sector, 5.5% in shipping and logistics, 5% are doing insurance and legal services and other 5% work in consulting.
The victims receive fake mails pretending to be from HSBC Advising Service, using mail.hsbcnet.hsbc.com as a domain, containing a malware inside the zipped attachment. When the zip is opened, it reveals a JAR file that makes the malware self-install and communicate to the C&C server, permitting the hackers to have remove access over the computer. It is capable of running on Windows, OS X, Linux and Android platforms and provides the hackers remote desktop control, data gathering, data exfiltration, among others.
40% of the attacks aim to infect organizations from Malaysia, the United Kingdom, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico and Russia.
As you may know, the Adwind Remote Access Tool (or RAT) is a cross-platform malware program known under AlienSpy, Frutas, Unrecom, Sockrat, JScoket and jRat, which hackers have to pay for in order to distribute it.
Starting with 2013, the guys from Kaspersky counted over 443000 of infected users around the world.
The biggest problem is that the infected Jar files inside the zipped attachments are not detected by any antivirus solutions, according to VirusTotal.com . For more information, see this post from Kaspersky’s securelist.com .