Remember just under a decade ago, back to yesteryear when Windows was known for malware and Mac computers were not? Amazing how things have changed—these days malware is everywhere, and this unmistakable trend is troubling.
Last week, news circulated about a new threat, called Adwind RAT, a multi-platform remote access trojan written in Java and that is fully functional on Windows, and partially functional on OS X. There are a few things to know about this specific threat and how OS X/macOS users can protect against it.
The first thing Mac users should be aware of is that the risk of infection is low, for many reasons. But all computers users must be aware that because Adwind is written in Java, it is capable of infecting all major operating systems where Java is supported, including: Windows, Mac, Linux, and Android.
For Intego customers, you should be aware that our Mac antivirus software, VirusBarrier, with up-to-date malware definitions detects and eradicates this threat, identified as Java/Adwind. If you have real-time scanning enabled, then you are safe.
Onward, to the juicy details of Adwind. Following is everything you need to know to keep safe and protect your Mac from Adwind RAT malware.
What is the infection vector?
According to Catalin Cimpanu over at Softpedia.com, security researchers discovered a version of Adwind RAT that was “distributed as part of a malware distribution campaign spotted at the start of the month, which actually dropped a Mac-specific payload when infecting Mac devices.” Adwind RAT appears to be spreading as part of a spam email campaign, which targeted Danish companies.
The campaign took place over the weekend, and according to Heimdal Security experts, it only targeted Danish companies.
Regardless of its initial scope, all spam emails were written in English, so an expansion to other countries may not take more than the push of a button somewhere in the crook’s control panel.
Adwind malware has been circulating for years, dating back to 2012, distributed under several different names, such as jRAT and others with similar capabilities.
Why is Adwind a low risk threat for Mac users?
It’s important to know that in order to install Adwind malware, it requires Java to be installed. By default, OS X and macOS are not shipped with Java. Therefore, to execute the file, Mac users would need to download the JRE at Oracle.com.
Furthermore, over the years Apple has added a number of security features to its Mac platform. Apple’s macOS and OS X offer built-in security features to protect users from unidentified developer files. Most Mac users are protected by restricting app downloads using secure Gatekeeper settings:
In System Preferences > Security & Privacy > General, Gatekeeper must be set to “Allow apps downloaded from Mac App Store and identified developers.” (To restrict to Mac App Store stuff only, set to “Mac App Store.”)
Where does Adwind malware install, and how?
Regardless of the Gatekeeper settings preferences, any user—whether carelessly or intentionally—can override its protection.
If a user attempts to execute a file that comes from an unidentified developer (not signed with a valid Apple digital certificate), Gatekeeper will warn the user, but not fully prevent installation if the user skips the warning.
For example, when attempting to run the Adwind RAT file by double-clicking on it, Mac users will see a Gatekeeper alert:
To override Gatekeeper, users could Control-Click or Right-Click on the file.
And that’s not the only way to get around Gatekeeper’s protection. Gatekeeper’s quarantine attribute is not applied if a user drops a file locally from one Mac to another; for instance, if you download the Adwind RAT sample on your Mac, unzip the password protected archive, and then drop the file to a remote Mac in your LAN.
Executing the Dropper
On OS X or macOS, when executing the Adwind dropper—meaning that when the rogue file is executed, it will “drop” its infection on the target—it creates a launch agent, which it uses to start a loader that is devoted to download malicious files from the Internet or connect to rogue servers.
Adwind is a Java executable bundle; it is a ZIP archive.
It contains several classes:
As mentioned previously, in order to execute this file, the user needs to install a JDK (Java Developer Kit) from Oracle.com.
If executed, Intego security researchers found that Adwind RAT always attempts to open a connection to a specific URL.
When executing the file on OS X El Capitan, the launch agent was not created, even when ran with sudo. (We are unsure at the moment why this does not happen.) However, Intego researchers found that the launch agent was created on OS X Mavericks.
The malicious file then writes a number of files on the target computer:
This agent ensures that a rogue executable file is loaded.
This file is the main loader, which connects to a rogue server to download additional files.
When taking a closer look, we noticed that Adwind copies itself on the disk.
What steps can Mac users take to protect their computers?
Graham Cluley on his blog issued sound advise and said it’s best to exercise security awareness and caution, and to “not open suspicious email attachments,” in addition to installing an antivirus solution on your Mac. Intego VirusBarrier with up-to-date definitions detects and quarantines both the agent and the Java file, detected as Java/Adwind.
If infected, Mac users may prefer to manually remove the Java app, named BgHSYtccjkN.ELbrtQ, from the Home folder. You can also manually remove the malicious launch file, named org.yrGfjOQJztZ.plist, from your user LaunchAgents folder.
To remove the Java app via Finder, choose Go > Go to Folder menu, enter /.UQnxIJkKPii/UQnxIJkKPii and then click Go. If it exists, you are infected: Move BgHSYtccjkN.ELbrtQ to the trash. (The files are dropped in the Home Folder. It requires a path, such as /Users/intego/.UQnxIJkKPii/UQnxIJkKPii/BgHSYtccjkN.ELbrtQ.)
To remove the Launch Agent via Finder, choose Go > Go to Folder, enter /Library/LaunchAgents and then click Go. Move org.yrGfjOQJztZ.plist to the Trash. (Example path: /Users/intego/Library/LaunchAgents/org.yrGfjOQJztZ.plist.)
And voilà! Machine cleansed. 🙂