Fake Swift Copy malspam via compromised sites delivering Java Adwind/ QRAT /JRAT Trojan

We continue to be plagued daily by fake financial themed emails containing java adwind / Java Jacksbot /QRAT /JRAT attachments. I have previously mentioned many of these  HERE. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a  slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically.

There is currently a major malware campaign malspamming Java Adwind /Qrat /Jrat using generic, non specific email subjects based around invoices or payment queries.

Today’s is slightly different to the usual run of emails we have been receiving. The emails pass authentication checks and do come from the sender, which is almost certainly compromised to send the emails. Either by the email address holder falling victim to a previous phishing attack and giving up log in credentials or by a vulnerability on the website allowing the criminals to take control  of or log in to the email system. Normally they attach the zip file or Java.jar file to the email, but today they have  a link to download the zip containing the Java Trojan

Make Note: Java Adwind  / Java Jacksbot are both very dangerous remote access backdoor Trojans, that have cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun / Oracle Java installed. Along with most security professionals, I strongly urge you to uninstall java and not use it, unless you have a pressing need for it. The majority of domestic ( home ) users and small businesses have no need for Java on their computers. This Article from a couple of years ago explains why you should remove it. If you cannot remove it then it must be kept up to date and be extremely careful with what you download or open.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

Swift Copy_pdf.zip, extracts to  Swift Copy_pdf.jar (537kb) Current Virus total detections: Hybrid Analysis |

This version was first seen 30 January 2018 and by today ( 2 days later) is still extremely badly detected by most antiviruses.

To read the original article:

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *