Threat Advisory: Adwind

McAfee Labs Threat Advisory Adwind

December 9, 2015 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html.

Summary Adwind is a Java-based backdoor trojan, which targets various platforms supporting Java files. After the malicious .JAR file runs on the machine, the malware silently installs itself and connects to a remote site via a pre-configured port to receive commands from the remote attacker.

McAfee detects this threat under the following detection names: • Adwind • BackDoor-FCRJ!Adwind • Adwind!jar

Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections:

• Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services

Infection and Propagation Vectors Adwind is being propagated via spam emails that come with different kind of attachments as pictured in the three examples below:

• In this first example, the malicious .JAR file is embedded in an MS Word .DOC file which, once executed, will drop and run the backdoor on the machine:

• The malicious .JAR file comes as a single attachment or as one of the multiple files attached to the email. We can see that it came with a separate PDF file in this second example:

• In this third example, the malicious .JAR file was a single attachment:

The subjects can be various (non-exhaustive list):

• ***SPAM*** Re: Payment/TR COPY-Urgent • credit note for outstanding payment of Invoice • Fwd: //Top Urgent// COPY DOCS • Re:Re: Re:Re:Re TT copy & PIs with Amendments very urgent... • PO#939423 • Western Union Transaction

And the .JAR filenames as well (non-exhaustive list):

• Shipment_copies (2).jar • FUD FIle.jar • PO 8324979(1).jar • Shipping Documents.jar • Telex Copy.jar • INSTRUCTIONCZ121.jar • Order939423.jar • Payment TT COPY.jar • SCAN_DRAFT COPY BL,PL,CI.jar • Enquiries&Sample Catalog CME-Trade.jar • Transaction reciept for reconfirmation.xslx.jar • P-ORD-C-10156-124658.jar • Proforma Invoice...jar • TT APPLICATION COPY FORM.jar • Dec..PO.jar • Credit_Status_0964093_docx.jar

Mitigation Mitigating the threat at multiple levels like file, Registry & URL could be achieved at various layers of McAfee products. Browse the product guidelines available here to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.

Refer the following KB articles to configure Access Protection rules in VirusScan Enterprise: • KB81095 - How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console • KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Basic rules on handling emails: Email from unknown senders should be treated with caution. If an email looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs. Opening file attachments, especially from unknown senders, harbors risks. Never click links in emails without checking the URL. Many email programs permit the actual target of the link to be seen by hovering the mouse over the visible link without actually clicking on it (called the mouse-over function). Never respond to spam emails. A response lets the fraudsters know that the address they wrote to is valid.

Access Protection rule: Prevent .JAR files from launching in %AppData%\[random folder name]\, and prevent new .JAR files from being created at this location.

McAfee also recommends that you select and test the Files being executed option for the above folders, and add only known legitimate programs under the Application Data folder to Processes to exclude.

Characteristics and Symptoms Several variants of Adwind exist, which means that the contents of the Java archives can vary. However, some of the most frequently seen internal file structures are similar to the following:

• Variant 1

• Variant 2

• Variant 3

• Variant 4

• Variant 5

• Variant 6

On execution, Adwind copies itself at the following location:

%AppData%\[random folder name]\[random filename].jar

Depending on the variants of Adwind, the Java archive copied in the %AppData% folder may use a different file extension than “.jar”:

%AppData%\[random folder name]\[random filename].[random file extension]

It then changes the folder and file attributes to system, hidden and read-only, as shown below:

Finally, it executes the copy of itself located in the %AppData% folder and adds the following registry key, which will enable the Java backdoor trojan to run at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "[random value name"="[Java Runtime Environment directory]\jawaw.exe” – jar “%AppData%\[random folder name]\[random filename].jar”

The Adwind Java backdoor comes in an obfuscated form to hide its malicious intent. Its payload and its configuration file (which serves as an installation file) are encrypted, either with the DES cipher, the RC4 one, or the RC6 one, depending on the variants.

The Adwind backdoor will decrypt itself on-the-fly during execution.

For instance, an analysis of an Adwind variant similar to the variant 1 mentioned above, will reveal the following pieces of information.

The first class that will be executed is the one named Adwind.class, as shown in the META-INF/MANIFEST.MF file:

Manifest-Version: 1.0 Ant-Version: Apache Ant 1.8.4 X-COMMENT: Main-Class will be added automatically by build Class-Path: Created-By: 1.7.0_09-b05 (Oracle Corporation) Main-Class: Adwind

This class file will first read the file “ID” (the strings are obfuscated in the piece of code pictured above) and will store its content in a variable named “pass”. The second encrypted string located at the end of the class actually turns into “Principal” after it is decrypted. Then, ClassLoaderMod is loaded with the variable named “pass” and the string “Principal”.

The content of the variable “pass” retrieved from the “ID” file is an 8-character string:

The ClassLoaderMod class concatenates “.adwind” to the string “Principal” to create a new string “Principal.adwind”, which actually is another resource file located in the Java archive. However, this file looks encrypted:

Then, the 8-character string previously retrieved and the “Principal.adwind” file name are passed to the method Constantion located in the Constante.class file. This method is in charge of the decompression (using a GZIP method) of the Principal.adwind resource file and of its decryption, thanks to the DES cipher:

After it is decrypted, Principal.adwind appears to be another class file. This one contains a hardcoded key that will be used to decrypt the file config.xml (DES decryption again), and will act as the backdoor installer by reading the decrypted config.xml file.

Here is the config.xml file in its encrypted form:

Its content, after decrypted, consists of:

Adwind RAT v1.0 Evsfqcvs Nawjslrh 14 101 msrtcse.noip.me KG5YeHbO Mewloyse 100 true 645fe9b711cceeb51ec356def13e8b2a396f40b8 Psyajrgr

This decrypted config.xml file contains the folder name that will be created in %AppData% (under the entry "nombreCarpeta"), the file name that will be used to create the copy of the backdoor in %AppData% (under the entry “jarname”), the registry value name that will be added to the HKCU Run key (under the entry “regname”), the server that will be contacted (under the entry “dns”) and the port numbers that will be used to communicate with the remote attacker (under the entries “puerto1” and “puerto2”).

These pieces of information are customized though, and will vary from one Adwind sample to another. All the other files ending with “.adwind” in the Java archive will be decrypted on-the-fly in the same way.

Also, depending on the plugins used (additional class files), the backdoor will have more or less functionalities. Some plugins can allow the attacker to: • Take screenshots • Download some additional files and execute them • Modify and delete some files • Retrieve some files located on the victim’s machine • Log keystrokes • Access the webcam • Control the mouse and keyboard • Update itself

The variants 2,3,4,5,6 are newer variants, and are decrypted differently:

• Variant 2

The Main entry specified in MANIFEST.MF is Start.class. config.perl: this is a XOR encrypted text file.

Here is its content after it is decrypted:

We can see that it contains the randomly chosen path and filename for the embedded and encrypted malicious JAR file, and half of the RC6 key that will be used to decrypt it.

The other half of the RC6 key will be retrieved from the other available class files. QL1sv1aEo: as seen above, this is the RC6 encrypted malicious .JAR file containing the Adwind backdoor.

After this embedded and RC6 encrypted Java archive is decrypted, we eventually gain access to the Adwind backdoor class files and resources.

The “config.json” file shown below is the configuration file (in plain text) of the backdoor, containing the defined port numbers, servers, the installation path, and so on:

• Variant 3

The Main entry specified in MANIFEST.MF is Start.class. password.txt: this text file (plain text) contains half of the RC6 key that will be used to decrypt the embedded malicious JAR file. The other half of the RC6 key will be retrieved from the other available class files. server.dll: this is the RC6 encrypted malicious JAR file containing the Adwind backdoor.

• Variant 4

The Main entry specified in MANIFEST.MF is Main.class. a.txt: this text file (plain text) contains half of the part of the RC4 key that will be used to decrypt the embedded malicious JAR file. The other half of the RC4 key will be retrieved from the other available class files. b.txt: this is the RC4 encrypted malicious JAR file containing the Adwind backdoor.

• Variant 5

The Main entry specified in MANIFEST.MF is Start.class. stubcito.opp: this is the RC6 encrypted malicious JAR file containing the Adwind backdoor. textito.isn: this text file (plain text) contains half of the RC6 key that will be used to decrypt the embedded malicious JAR file. The other half of the RC6 key will be retrieved from the other available class files.

• Variant 6

The Main entry specified in MANIFEST.MF is Start.class. resource.xsx: this is the RC6 encrypted malicious JAR file containing the Adwind backdoor. textito.text: this text file (plain text) contains half of the RC6 key that will be used to decrypt the embedded malicious JAR file. The other half of the RC6 key will be retrieved from the other available class files.

Notes:

• %AppData% - C:\Users\[UserName]\AppData\Roaming\

Restart Mechanism

The following registry entry confirms that the backdoor trojan will start every time when Windows starts:

Or, for newer variants, using a random Java archive file extension:

Remediation The detection for this malware family is added to the database and would be available from DAT #7899. A Full Scan with updated DATS can remove the infection from the machine.

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice.