Security researchers spotted the latest iteration of an evolving Turkish phishing campaign that’s targeting more than 80 companies with Adwind malware.

Check Point Research analyzed the campaign and found that it used a phishing email containing an Office file attachment as its initial attack vector. This attachment dropped a heavily obfuscated JAR file that leveraged several evasion techniques to avoid detection. The JAR file then downloaded version 3.0 of Adwind from a GitHub repository.

This particular version of the Trojan can move laterally through networks and is able to take screenshots, record videos and sounds from the PC, steal files, collect keystrokes and certificates as well as control the SMS system of Android devices. The malware exfiltrates this stolen data to its command-and-control (C&C) server.

At the time of Check Point’s analysis, the ongoing malspam campaign had targeted more than 80 Turkish companies.

A Historical Analysis of the Campaign

Check Point isn’t the only security firm to analyze this campaign. Back in September 2018, Cisco Talos reported on a new spam campaign in which droppers leveraged a Dynamic Data Exchange (DDE) code injection attack to target users in Turkey with Adwind v3.0.

Nearly a year later, SophosLabs noticed that those behind the attack had begun targeting Turkish users with both Adwind and samples of the Fareit Trojan family. The latest iteration of the campaign added an Externsheet injection, a rare technique that helped it fly under the radar of many security products.

Improve Defenses Against Phishing Campaigns

Security professionals can help their organizations defend against attacks such as the Turkish phishing campaign described above by developing and refining processes for promptly responding to successful phishing and business email compromise (BEC) attacks. Companies should also conduct simulated phishing attacks to evaluate the preparedness of their workforce against email-based threats.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…