Security researchers spotted the latest iteration of an evolving Turkish phishing campaign that’s targeting more than 80 companies with Adwind malware.
Check Point Research analyzed the campaign and found that it used a phishing email containing an Office file attachment as its initial attack vector. This attachment dropped a heavily obfuscated JAR file that leveraged several evasion techniques to avoid detection. The JAR file then downloaded version 3.0 of Adwind from a GitHub repository.
This particular version of the Trojan can move laterally through networks and is able to take screenshots, record videos and sounds from the PC, steal files, collect keystrokes and certificates as well as control the SMS system of Android devices. The malware exfiltrates this stolen data to its command-and-control (C&C) server.
At the time of Check Point’s analysis, the ongoing malspam campaign had targeted more than 80 Turkish companies.
A Historical Analysis of the Campaign
Check Point isn’t the only security firm to analyze this campaign. Back in September 2018, Cisco Talos reported on a new spam campaign in which droppers leveraged a Dynamic Data Exchange (DDE) code injection attack to target users in Turkey with Adwind v3.0.
Nearly a year later, SophosLabs noticed that those behind the attack had begun targeting Turkish users with both Adwind and samples of the Fareit Trojan family. The latest iteration of the campaign added an Externsheet injection, a rare technique that helped it fly under the radar of many security products.
Improve Defenses Against Phishing Campaigns
Security professionals can help their organizations defend against attacks such as the Turkish phishing campaign described above by developing and refining processes for promptly responding to successful phishing and business email compromise (BEC) attacks. Companies should also conduct simulated phishing attacks to evaluate the preparedness of their workforce against email-based threats.