Adwind

Adwind RAT is a cross-platform, multifunctional malware program written in Java that is distributed through a single malware-as-a-service platform.

In June 2020, Adwind variant was exploiting a spoofing vulnerability in Windows (CVE-2020-1464) discovered in 2018 by security researchers and stayed unpatched for two years. The vulnerability allowed an attacker to take a clean MSI file which is digitally code signed from Microsoft, Google etc. and append a malicious JAR file to it, without impacting or changing its digital signature.

Techniques Used

Domain ID Name Use
Enterprise VT0036 Exploitation for Defense Evasion

Adwind 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

Adwind uses a spoofing vulnerability (CVE-2020-1464) in Windows to distribute malicious files that are signed by Microsoft, Google, etc. and appear legitimate.

Attachments

ID
VS0016
Type
MALWARE

Created: 09 May 2021

Last Modified: 09 May 2021