SoylentNews

upstart writes:

Submitted via IRC for SoyCow3196

Adwind Spyware-as-a-Service Attacks Utility Grid Operators

A phishing campaign that spoofs a PDF attachment to deliver Adwind spyware has been taking aim at national grid utilities infrastructure.

Adwind, a.k.a. JRAT or SockRat, is being used in a malware-as-a-service model in this campaign, researchers said. It offers a full cadre of info-gathering features, including the ability to take screenshots, harvest credentials from Chrome, Internet Explorer and Microsoft Edge, record video and audio, take photos, steal files, perform keylogging, read emails and steal VPN certificates.

“Critical infrastructure facilities are high-risk targets, and the fact that Adwind is available as a paid service is very concerning,” Bob Noel, vice president of strategic relationships for Plixer, told Threatpost. “Anyone willing to pay can target utilities, and when successful, they have the ability to collect keystrokes, steal passwords, grab screenshots, take pictures from the web camera, record sound, etc. If infected end users have access to critical system information, it could be stolen and used in an attempt to attack the facility.”

[...] Adwind has made bypassing and disabling security tools a hallmark. Last year, a new variant emerged that used a fresh take on the Dynamic Data Exchange (DDE) code-injection technique for anti-virus evasion.

“Tricking end users into clicking on malicious links or attachments continues to be the most successful means for bad actors to gain access,” said Noel. “As is true in the case of the Adwind remote access trojan, once malware lands on a device, it often has the ability to disable antivirus and other types of endpoint detection agents loaded on the device.”

Original Submission