LTS Secure Warning: Utilities Industry Under Attack Via Weaponized PDF Delivering Adwind Malware

A new phishing campaign targeting utilities industry has been spotted that spoofs a PDF file to drop Adwind malware. In the campaign, the malware is being used in a malware-as-a-service model.

Technical Details

The initial phase of the infection process starts by sending out phishing mail using hijacked account that contains the malicious PDF. The email states that,”This mail contains a copy of our remittance advice which you are required to sign and return”, tricking the user to click on the embedded button. Once clicked, the user is directed to a malicious domain hosting the initial payload.

The payload downloaded “Scan050819.pdf_obf.jar“. Here, obfuscation techniques are used by the attacker to make it look like a genuine PDF file. After this, two Java.exe processes are created to load two .class files, which contain the malware. The attackers are further making use of takskill.exe, to disable antivirus & malware analysis tool.

Impact

• Logs user’s keystrokes.
• Records videos & takes pictures from webcam.
• Records sound from microphone.
• Take screenshots of desktop.
• Steal credentials from IE, Edge & Chrome.
• Transfers files.
• Collects user & system information.

Recommended Actions

• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.