Kaspersky Lab has detected a massive new hit by the Adwind Remote Access Tool (RAT). This multifunctional backdoor has been used in attacks against more than 1,500 organizations in over 100 countries and territories including the Philippines.
The attacks have impacted various industrial sectors, including retail and distribution (20.1%), architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%) and consulting (5%).
Adwind’s victims receive e-mails sent in the name of the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), with payment advice in the attachment. According to Kaspersky Lab research, the activity of this email domain can be tracked back to 2013.
Instead of instructions, the attachments contain the malware sample. If the targeted user opens the attached ZIP file, which has a JAR file in it, the malware self-installs and attempts to communicate with its command and control server.
The malware allows the attacker to gain almost complete control over the compromised device and steal confidential information from the infected computer.
The geographical distribution of attacked users registered by the Kaspersky Security Network (KSN) during this period shows that almost half of them (more than 40%) were living in the following ten countries:
According to Kaspersky Lab researchers, since the victims include a high proportion of businesses, criminals could use industry-specific mailing list to target their attacks. Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology.