Nigerian cyber criminals are shifting away from traditional email-based scams and using malware to target bank accounts. One source of that malware comes from Adwind, the largest malware-as-a-service platform currently in operation, according to Kaspersky Lab researchers.
Kaspersky Lab researchers uncovered a website that operates as a malware marketplace, where anyone can create an account and purchase remote administration tools with advanced features, said Vitaly Kamluk, director of Global Research & Analysis Team in APAC at Kaspersky Lab. The website, JSocket, is well-designed and even has an accompanying YouTube channel showing customers how to use the software. Customers can sign up for an account and purchase one of the many subscription plans available to actually get the software.
"It looks like a software company's website," Kamluk said.
JSocket is the latest iteration of Adwind, the cross-platform malware that has been around since 2012 under various names, including Frutas, Unrecom, Sockrat, jRat, and AlienSpy. Written entirely in Java, Adwind can infect Windows, OS X, Linux, and Android platforms.
JSocket/Adwind is different from other commercial malware in that it is distributed as a paid malware as a service. Kaspersky Lab researchers estimate the platform currently has approximately 2,100 customers and 150 unique malware samples.
"It's not just another malware," Kamluk said, calling it an "all-in-one for criminals" interested in a "one-stop shop" to create and manage their fraudulent campaigns.
One-stop shop for malware campaigns
JSocket provides a malware builder and control panel to manage the campaigns. The malware has a built-in keylogger and can steal VPN certificates as well as passwords from browsers, Outlook, databases, and messaging software. It also provides an impressive array of features, including a VPN anonymizer and add-on modules such as the Downloader module, which automatically installs Java on the victim machine, and a cryptographic tool. It offers chat software to communicate with victims, remote desktop control software, file transfer tools, APK management for Android, and the ability to collect general system and user information, and capture video from the webcam and audio from the microphone. JSocket can also test the generated malware against popular antivirus engines to determine whether the new build would be able to bypass security tools.
Adwind is so basic anyone with elementary computer skills can carry out surveillance campaigns. Kamluk believes Adwind clients are typically scammers interested in using malware for more advanced fraud campaigns to move to the "next level" of cyber crime, unscrupulous competitors sniffing out company secrets, cyber mercenaries, and private individuals interested in spying on people they know.
"The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cyber crime," said Aleksandr Gostev, chief security expert at Kaspersky Lab.
The fact that customers find it easy to use the platform means Adwind "is not going to go away easily," and banks should brace themselves for a wave of targeted attacks, Kamluk said. It is already popular among criminals in Nigeria, the United States, Canada, Russia, and Turkey, and cross-platform RATs will soon become standard among criminal groups. Similar multifunction platforms will also be available on the market, Gostev predicted.
Criminals have used Adwind to launch attacks against companies across most major industries, including manufacturing, finance, engineering, design, retail, government, shipping, telecommunications, software, education, food production, health care, media, and energy. Victims are infected when they open the malicious JAR file attached to spear phishing emails.
Kaspersky Lab said Adwind was being used globally, although nearly half the victims were concentrated in United Arab Emirates, Germany, India, the United States, Italy, Russia, Vietnam, Hong Kong, Turkey, and Taiwan. Researchers observed 200 examples of spear phishing attacks delivering Adwind malware to more than 68,000 users between August 2015 to January 2016.
Keep in mind that people using Adwind software are not working together, nor are they members of the same attack group. Criminals buy a subscription and craft their own campaigns, Kamluk said. Plans range from a 15-day plan for $35 to a yearlong plan for $300. Customers pay using the AdvCash payment system, where buyers can fund accounts from various sources including traditional wire transfers or bank transfers, bitcoin, Yandux, Paxum, and Perfect Money.
While some of the attacks were targeted, Kasperksy Lab researchers have also seen Adwind being used in opportunistic attacks, Kamluk said.
Putting puzzle pieces together
There have been hints over the years suggesting that Frutas, Unrecom, and AlienSpy were all variants of the same Adwind malware. JSocket and the recent activity on underground forums provide stronger evidence that the tools are all related, Gostev said.
Back in 2012, when Kaspersky Lab was studying Duqu, researchers came across a posting on a Spanish-language underground forum from a developer looking for testers for a new remote administration tool. That tool eventually was released as Frutas, and as the product evolved, it became more sophisticated, Gostev said. Adwind 2.0 was released in January 2013, with a nice interface and plug-in-based architecture. By the time AlienSpy came along, Adwind had added Android support and become a true cross-platform RAT.
JSocket 1.0 launched in June 2015, two months after a report from Fidelis Cyber security shut down AlienSpy. Kaspersky Lab researchers were able to link the previous versions with JSocket thanks to a forum posting from the same developer claiming someone was trying to ruin his or her reputation by spreading malware to Adwind customers.
Kamluk said there were clues suggesting the developer had been working on Adwind as far back as 2005.
"Despite multiple reports about different generations of this tool, published by security vendors in recent years, the platform is still active," Kamluk said, noting the JSocket website is still active. The fact that Jsocket was live two months after Fidelis shut down AlienSpy showed that current methods aimed at disrupting criminal operations are ineffective. New approaches are needed to disrupt this platform completely, he said.
The brains behind the operation
Gostev and Kamluk worked up a profile of the individual they believe is behind Adwind. Based on forum postings and coding patterns, they believe the individual is between 22 and 30 years old and lives in central Mexico -- or at least works hours corresponding to Mexico's workday. The hours of operation appear to be from a little after 9 in the morning and working through the evening, seven days a week. The Adwind mastermind is estimated to earn an estimated $200,000 a year from JSocket, they said.
"This is the story of a Mexican businessman with a successful software startup," Kamluk said. "He has a fantastic website called JSocket."