What is Adwind?
Adwind is trojan-type malware that has many other names including (but not limiting to) AlienSpy, Frutas, JSocket, Sockrat, Unrecom, jRAT.
Criminals proliferate this malware in various ways such as spam emails and fake Adobe Flash Player updates. We can also assume that Adwind infiltrates systems with various adware-type programs (via the so-called "bundling" method) that feed users with intrusive advertisements and gather sensitive data.
Spam email spreading Adwind trojan:
Adwind collects various data, including personal details. According to Kaspersky Lab's research, different versions of Adwind have been used against more than 440,000 private users and various commercial/non-commercial organizations (e.g., finance, shipping, software, education, and so on) between 2013 and 2016.
This trojan virus is capable of recording a wide range of information including keystrokes, saved passwords, etc., and can even record audio/video using microphones and webcams (full list of Adwind's functions). The data is transferred to a remote Command and Control server.
If a connection is unavailable or the server is not responding, the data is stored locally until the connection becomes available. As mentioned above, collected data includes many personal details that can be misused to generate revenue (e.g., criminals can use passwords to transfer money from victims' bank accounts).
In addition, cyber criminals can obtain compromising material, which can be used to blackmail victims. Therefore, the presence of the Adwind trojan can lead to financial losses and privacy issues. Fortunately, most legitimate anti-virus suites are capable of detecting and removing this malware.
Therefore, we strongly advise you to have this precautionary software installed on your computer. If you suspect that your system has been infected with Adwind, immediately perform a full system scan and eliminate all listed threats.
As mentioned above, Adwind can infiltrate the system together with potentially unwanted adware-type programs (PUPs). These programs deliver intrusive ads (coupons, banners, pop-ups, and so on) using tools that enable placement of third party graphical content on any site.
Therefore, displayed ads often conceal underlying website content, thereby significantly diminishing the browsing experience. In addition, intrusive ads often redirect to malicious websites and even execute scripts that download/install malware. Therefore, clicking them can result in high-risk computer infections. PUPs are also known to gather various information.
Although the list of collected data is typically much shorter as compared to information recorded by trojan viruses, it might still contain private details. Furthermore, PUP developers often sell collected data to third parties (potentially, cyber criminals) who generate revenue by misusing private information.
Therefore, the presence of data-tracking apps can also lead to serious privacy issues. We strongly recommend that you uninstall all adware-type applications immediately.
|Name||Adwind trojan (also known as AlienSpy, Frutas, JSocket, Sockrat, Unrecom, and jRAT).|
|Threat Type||Trojan, Password stealing virus, Banking malware, Spyware|
|Detection Names||Avast (Java:Malware-gen [Trj]), BitDefender (Trojan.GenericKD.41594129), ESET-NOD32 (A Variant Of Generik.BVQRECD), Kaspersky (HEUR:Backdoor.Java.QRat.gen), Full List (VirusTotal)|
|Symptoms||Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.|
|Distribution methods||Infected email attachments, malicious online advertisements, social engineering, software cracks.|
|Damage||Stolen banking information, passwords, identity theft, victim's computer added to a botnet.|
|Malware Removal (Windows)||
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
Although Adwind collects various information, not all trojans perform this function. Some simply open "backdoors" for other high-risk malware (typically, ransomware) to infiltrate the system. Nevertheless, trojans also have other dangerous functions. In fact, some viruses that infiltrate the system via trojans can cause even more damage than Adwind itself.
For example, ransomware might encrypt stored data and proliferate itself to other computers/servers that are connected to the same network. These chain infections can result in loss of valuable data (for example, imagine all files and backups of an engineering company being encrypted).
Adware-type apps, on the other hand, typically have no major differences. By offering "useful features", PUPs attempt to give the impression of legitimacy and trick users to install, however, rather than providing any real value for regular users, adware delivers intrusive ads and records various information. Most PUPs are designed only to help developers to generate passive revenue.
How did potentially unwanted programs install on my computer?
These sites essentially state that the installed Flash Player is outdated and encourages users to download an update. Rather than downloading the update, however, users end up downloading and installing malware (in this case, Adwind trojan). "Bundling" is stealth installation of rogue executables together with regular software.
In many cases, this method is used to proliferate PUPs. Developers hide "bundled" programs within "Custom/Advanced" settings (or other sections) of the download/installation processes.
Many users rush these procedures and skip steps. In some cases, "bundled" malware is concealed and, thus, no matter how carefully you analyze the entire process, you will not be able to notice it.
How to avoid installation of malware?
To prevent these infections, be cautious when browsing the Internet and downloading/installing software. We strongly advise you to immediately delete emails received from suspicious/unrecognizable addresses and certainly NOT to open files attached to such emails.
It is also highly recommended that you keep installed applications up-to-date, however, since criminals proliferate malware via fake updaters, software should be renewed using implemented functions or tools provided by the official developer only.
In addition, carefully observe each window of the download/installation dialogs and opt-out of all additionally-included programs - if you are unable to do so, cancel the entire process. We also recommend that you download your software from official sources only, using direct download links.
Third party downloaders/installers are monetized using the "bundling" method and, thus, these tools should never be used. Having a legitimate anti-virus/anti-spyware suite installed is also paramount. The key to computer safety is caution.
Rogue behavior of Adwind trojan:
- Collecting general system and user information
- Collecting keystrokes
- Managing SMS (Android OS)
- Recording audio from the microphone
- Stealing keys for cryptocurrency wallets
- Stealing saved passwords and grabbing data from web forms
- Stealing VPN certificates
- Taking pictures and recording videos from the webcam
- Taking screenshots
- Transferring files
Update August 20, 2019 - Adwind's developers are promoting this trojan as "Malware-as-a-Service", which means that any wannabe cyber criminal can pay a subscription fee and start using this malware to generate revenue in illegal manner.
Additionally, this malware is being continually updated and its detection-evading capabilities have significantly improved (and will improve further) since its first release.
It has also been implemented with a feature that allows cyber criminals to employ infected machine's hardware to mine various cryptocurrencies (you can find more information regarding cryptomining trojans in this article).
Update May 20, 2020 - The recent outbreak of Coronavirus (Covid-19) has given cyber criminals a huge opportunity to generate revenue. They are using various methods (e.g., fake coronavirus-relating applications, fake websites, spam emails, etc.) to spread high-risk malware. Adwind is no exception.
One of the latest Coronavirus (Covid-19) email spam campaigns used to spread Adwind malware targets customers of various banks in India. As a rule, cyber criminals pretend to be bank employees and encourage recipients to open attachments that contain the list of safety measures that should be taken.
In some cases, users are asked to fill in the attachment (typically, disguised as Microsoft Excel document) by providing information necessary to mitigate the risks. One way or another, users are encouraged to open the attachment, which is a .jar file presented as a document.
Screenshot of a Coronavirus (COVID-19)-themed spam email which distributes Adwind virus:
Text presented within:
Subject: Urgent - COVID measures monitoring template
As you may be aware, a circular dated March 16, 2020 on "COVID-19- Operational and Business Continuity Measures" was issued advising UCBs to take certain measures for ensuring business process resilience and manage the risks posed by the onset and spread of the Covid 19 pandemic. Likewise, certain regulatory measures had been announced on March 27, 2020 to mitigate the burden of debt servicing brought about by disruptions on account of COVID-19 pandemic and to ensure the continuity of viable businesses.
2. Considering the critically of the situation, you are advised to submit the information sought in Sheet 1 of the enclosed template by EOD i.e. April 6, 2020.
3. Further, informationa s per Sheet 2 of the enclosed template may be submitted as and when effects of COVID 19 settle down and operations return to normal.
4. Kindly treat this as urgent.
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
How to remove malware manually?
Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.
If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:
If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button.
Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button.
In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run Autoruns.exe file.
In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.
Check the list provided by Autoruns application and locate the malware file that you want to eliminate.
You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"
After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.
Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs.
These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections we recommend scanning it with Combo Cleaner Antivirus for Windows.