Cofense researcher Milo Salvia has published a new blog warning of a phishing campaign delivering the Adwind malware. The campaign is targeting companies within the national grid infrastructure and is just the latest attack on Critical National Infrastructure (CNI). The attack relies on a spoofed PDF attachment that is really a jpg with an embedded hyperlink. Clicking on the PDF image takes the user to a site where the initial payload is downloaded to their machine.
Salvia comments: “The malware also attempts to circumvent analysis and avoid detection by using takskill.exe to disable popular analysis tools and antivirus software.” One of those tools is Microsoft’s Advanced Threat Protection (ATP).
Microsoft claims that ATP: “Provides zero-day protection to safeguard your messaging system, by checking email attachments for malicious content.” In this case, users relying on ATP would assume that the link is safe as it hasn’t been disabled.
What does Adwind do?
Adwind is Malware as a Service. It allows anyone to purchase access to the software and then use that software to attack sites. This is a growing market that allows malware writers to monetise their software without having to attack sites themselves. For budding cyber criminals, it gives them a step up into launching attacks and fast tracking their career.
Salvia lists the following features that exist within Adwind:
- Takes screen shots
- Harvests credentials from Chrome, IE and Edge
- Accesses the webcam, record video and take photos
- Records audio from the microphone
- Transfers files
- Collects general system and user information
- Steals VPN certificates
- Serves as a Key Logger
How is it being spread?
The attack starts with an email claiming to be a remittance advice and asking users to click on the PDF attachment. Salvia says that the email pretends to be from Friary Shoes. This raises the question as to who would click on it and why. There is no attempt in the sample email that Salvia includes in the blog to suggest that it has anything to do with the utility company.
Clicking on the link starts the infection process. Users are taken to a hijacked domain owned by Fletcher Specs. As soon as they land on the hijacked domain site the malware is downloaded to the local machine. At this point it executes and installs its utilities onto the infected computer.
From the information provided by Salvia, it seems that this is a point attack. Adwind is not using the infected machine as a distribution point across the local network so isolation and cleaning of the machine should work. However, it is a credential stealer. Once machines are clean, users will want to change any and all passwords that they have cached in the browser.
Enterprise Times: What does this mean
The phishing campaign suggests that only utilities are being targeted. It is more likely that the attacker is simply using the first mailing list they were able to get access to. Other reports around Adwind show that it has been used to attack a wide variety of verticals and with some success.
There are three things that should stop any user falling for this.
- Basic user education should stop anyone clicking on this link. After all, how many utilities have bought from Friary Shoes?
- Even if the user has purchased from Friary Shoes, they should ask themselves when was it and why are the emails coming to their work address.
- Hovering over the link shows it is redirected to Fletcher Specs. There is no bigger red flag than suddenly finding the link goes to a different company.
Salvia has rightly avoided any attempt at attribution of this attack. It has come from a Malware as a Service platform. Tracing it back will be difficult and likely unproductive. It doesn’t really matter if this comes from a nation state or a wannabe cyber criminal. It is an attack that shouldn’t have any success rate at all, despite it disabling security programmes.
This warning also comes at a worrying time for the National Grid. It has had a bad month with power outages which have led to a regulatory investigation. It will want to warn all of its suppliers about this attack. That said, there is absolutely no evidence that this phishing campaign has had any bearing on recent problems. However, that does not mean it should be ignored.