Security researchers spotted the latest iteration of an evolving Turkish phishing campaign that’s targeting more than 80 companies with Adwind malware.

Check Point Research analyzed the campaign and found that it used a phishing email containing an Office file attachment as its initial attack vector. This attachment dropped a heavily obfuscated JAR file that leveraged several evasion techniques to avoid detection. The JAR file then downloaded version 3.0 of Adwind from a GitHub repository.

This particular version of the Trojan can move laterally through networks and is able to take screenshots, record videos and sounds from the PC, steal files, collect keystrokes and certificates as well as control the SMS system of Android devices. The malware exfiltrates this stolen data to its command-and-control (C&C) server.

At the time of Check Point’s analysis, the ongoing malspam campaign had targeted more than 80 Turkish companies.

A Historical Analysis of the Campaign

Check Point isn’t the only security firm to analyze this campaign. Back in September 2018, Cisco Talos reported on a new spam campaign in which droppers leveraged a Dynamic Data Exchange (DDE) code injection attack to target users in Turkey with Adwind v3.0.

Nearly a year later, SophosLabs noticed that those behind the attack had begun targeting Turkish users with both Adwind and samples of the Fareit Trojan family. The latest iteration of the campaign added an Externsheet injection, a rare technique that helped it fly under the radar of many security products.

Improve Defenses Against Phishing Campaigns

Security professionals can help their organizations defend against attacks such as the Turkish phishing campaign described above by developing and refining processes for promptly responding to successful phishing and business email compromise (BEC) attacks. Companies should also conduct simulated phishing attacks to evaluate the preparedness of their workforce against email-based threats.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…