LTS Secure Warning: Utilities Industry Under Attack Via Weaponized PDF Delivering Adwind Malware
A new phishing campaign targeting utilities industry has been spotted that spoofs a PDF file to drop Adwind malware. In the campaign, the malware is being used in a malware-as-a-service model.
The initial phase of the infection process starts by sending out phishing mail using hijacked account that contains the malicious PDF. The email states that,”This mail contains a copy of our remittance advice which you are required to sign and return”, tricking the user to click on the embedded button. Once clicked, the user is directed to a malicious domain hosting the initial payload.
The payload downloaded “Scan050819.pdf_obf.jar“. Here, obfuscation techniques are used by the attacker to make it look like a genuine PDF file. After this, two Java.exe processes are created to load two .class files, which contain the malware. The attackers are further making use of takskill.exe, to disable antivirus & malware analysis tool.
- Logs user’s keystrokes.
- Records videos & takes pictures from webcam.
- Records sound from microphone.
- Take screenshots of desktop.
- Steal credentials from IE, Edge & Chrome.
- Transfers files.
- Collects user & system information.
- Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
- Always update your anti-virus software with the latest releases.
- Periodically run “full system scan” on your endpoints.
- Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.