The cross-platform remote access trojan (RAT) Adwind drops a payload onto Mac computers only after users overlook a series of potential red flags.
Malwarebytes researcher Thomas Reed recently analyzed a sample of Adwind that was going undetected after a colleague told him the RAT was allegedly cross-platform.
Reed was doubtful, as he explains in a blog post:
"This is often code for 'this malware was written in Java,' which doesn’t necessarily mean that it actually drops a Mac payload. So I was a bit skeptical, and said so. But, hey, new malware to play with... how could I resist taking a peek?"
The researcher had a right to be skeptical. After discovering the malware was written in Java, he came across at least four red flags that could potentially warn users of an infection:
- The malware dropper attempted to mimic a document, but it took .jar as its extension and not something more common like .docx or .pdf.
- Mac systems won't run the malware without Java, a system which Apple dropped from its computers years ago.
- The malicious file isn't code-signed, which led GateKeeper by default to prevent the malware from running.
- Even when the file executed, no decoy document or fake app interface appeared. Most users would realize something funny was up.
All of that notwithstanding, the malware had a surprise for Reed. As he notes:
"When I looked to see what file system changes had been made, lo and behold, there was a brand new launch agent, loading an executable found in a brand new hidden folder!
"The launch agent file was named org.yrGfjOQJztZ.plist, and was found in the user LaunchAgents folder. It loaded a Java app named BgHSYtccjkN.ELbrtQ, and found in a hidden folder in the user’s home folder."
Adwind, otherwise known as AlienSpy, JSocket, and jRat, has been around since at least 2012. Once it infects a user's computer, it carries out all the normal functions of a RAT, including collecting screen shots, stealing passwords, and managing SMS on Android devices.
The trojan is available for sale on an open website for purchase at US $30 a month and $200 for an unlimited license. As a result, it's no wonder the malware infected at least 443,000 users between 2013 and 2016.
In July alone, researchers spotted Adwind involved in multiple targeted attack campaigns aimed at Danish companies.
All of that aside, Adwind isn't the strongest piece of malware when it comes to Mac users because of its red flags. Reed agrees:
"In all, this malware isn’t particularly worrisome. It would take a bit of effort on the part of a Mac user to infect their computer with Adwind in its current form."
To avoid an infection, users should install an anti-virus solution onto their computers, refer to the red flags explained above, and should exercise digital security common sense, which includes not opening suspicious email attachments.