Inside Adwind: A DIY malware toolkit used by 1,800 crooks to spy on 443k victims

Security researchers have lifted the lid on Adwind – a malware-as-a-service platform which has hit more than 400,000 users and organisations across the globe.

The Adwind RAT (remote access tool) is a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, which is distributed through a single malware-as-a-service platform. The Java-based nasty can run on Windows, OS X, Linux and Android platforms, providing hackers with remote desktop control, data gathering, data exfiltration and more.

Other commercial malware packages exist, but Adwind platform is unusual because it is distributed openly in the form of a paid service. Punters pay a fee in return for use of the malicious program.

Based on an investigation of users' activity on the internal message board and other intelligence, Kaspersky Lab researchers estimate that there were around 1,800 users in the system by the end of 2015. This makes Adwind one of the biggest malware platforms in existence.

But it's the diversity of user types that really catches the eye. Kaspersky Lab researchers believe that the clients of the Adwind platform fall into a number of different categories: scammers who want to use malware as part of more advanced frauds, firms prepared to stoop to using malware against competitors, cyber-mercenaries (or spies for hire), and private individuals who want to spy on people they know.

Kaspersky Lab estimates the revenue of the whole service at around $200k per year, or just over $100 per paying customer.

Different versions of the Adwind malware have infected computers used by at least 443,000 people and commercial and non-commercial organisations worldwide. The platform and the malware are still active.

While it is used mainly by opportunistic criminals, there are cases where Adwind was used in targeted attacks. In August 2015, Adwind featured in cyber-espionage against an Argentinian prosecutor who had been found dead in January 2015. The malware targeted a Singaporean bank – an incident that prompted Kaspersky researchers to take a closer and much more detailed look at the malware.

"The Adwind platform in its current state lowers significantly the minimum amount of professional knowledge required by a potential criminal looking to enter the area of cybercrime," said Aleksandr Gostev, chief security expert at Kaspersky Lab.

"What we can say based on our investigation of the attack against the Singaporean bank is that the criminal behind it was far from being a professional hacker, and we think that most of the Adwind platform's 'clients' have that level of computer education. That is a worrisome trend," he concluded.

More details on the Adwind malware platform can be found in an FAQ on Kaspersky Lab's Securelist blog here. ®