Author: Victor Sandin
TLP:WHITE
From 12 to 13 November, Infoblox observed a malicious email campaign distributing the Adwind remote access trojan1 (RAT) via a spoofed O’Meara Auto Group invoice using Microsoft Excel spreadsheets (XLS) with malicious macros.
Adwind, also known as AlienSpy, jRat, Sockrat, etc., is one of the most widely-used cross-platform Malware-as-a-Service (MaaS) packages that threat actors can purchase for a fee.2 Adwind’s capabilities include:
- Logging keystrokes,
- Collecting system information,
- Transferring data,
- Controlling the victim’s webcam,
- Harvesting user credentials, and
- Recording sounds and taking screenshots.
In the campaign we observed, the threat actors sent emails with a subject and an email body of Your Order confirmation # <XXXX>, where the Xs represent a varied number of random digits. The emails also included an attached XLS file named INVOICE # SPLXXXX.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://securelist.com/adwind-faq/73660/
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–34
