Users Clicking Through Warnings, Leading to RAT Infections

Cisco Talos and ReversingLabs warn that the Adwind Remote Access Trojan (RAT) has added capabilities that enable it bypass some anti-virus technologies, though users still need to click through warnings in Microsoft Office.

remote access Trojan

There are many different ways that an attacker can compromise a system, one of them is getting users to ignore warnings about risk. 

Cisco Talos along with partner ReversingLabs reported a new approach used by the Adwin Remote Access Trojan (RAT) that makes used of Dynamic Data Exchange (DDE) to get past users' anti-virus software. As it turns out, the Adwin DDE attack vector also requires users to click through not one, but three different warning dialogue boxes in Microsoft Office, advising users not to click, before being infected.

"Sadly, users often ignore warnings," Paul Rascagneres, Security Researcher, at Cisco Talos, told eWEEK.

The Adwind RAT has been active for several years, with the new method being detected in the Adwind 3.0 version of the RAT. ReversingLabs first discovered the new Adwind campaign on Sept. 10. Craig Williams, Director of Outreach, at Cisco Talos told eWEEK that Cisco and ReversingLabs are intelligence partners and both groups are part of the Cyber-Threat Alliance (CTA). Adwind is capable of attacking multiple desktop operating systems including Windows, macOS and Linux.

 "This one is developed in Java so it’s easy to have multiple OS support and it works on any window manager," Rascagneres said. "It's not unique, Adwind supported Linux for years."

While Adwind supports Linux and macOS, the new DDE attack vector only works on Windows. Rascagneres explained that Linux does not have Microsoft Office and while there is a version of Office for macOS, the DDE support does not exist. The new attack in Adwind 3.0 injects code via DDE and is not blocked by traditional anti-virus (AV) technology, though users do get a series of warning dialogues in Microsoft Office that requires them to click to continue. Once the full Adwind payload is on a victim's system, Rascagneres said that the e attacker has a full access to the machine, they are able to spy on the user, push and execute additional binaries.

"The infected systems become part of the attacker botnet," he added.

The attack peaked on Aug. 28 according to Cisco Talos, and Rascagneres said that more than 200 unique malicious Office documents were identified. He added that Adwind  is also known as jRATand has existed for years, often being sold in a malware-as-a-service model.

"The source code is available and a lot of bad guys developed variants based on it," Rascagneres said. "We cannot do attribution based on this malware, it used by a lot of different persons."

Defending Against Adwind

Aside from heading warnings in Office about potentially risky operations, there is another simple thing that organization can do to defend against the new Adwind attack.

 "The easiest way to protect organization is to keep Office up to date," Rascagneres said. "At the beginning of the year, Microsoft pushed an update to disable DDE by default."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.