Threat Research

Targeted Distribution of Adwind in Italy

Italy-Cert-agid
Targeted Distribution of Adwind in Italy

The article reports on a large-scale phishing campaign using PDF email attachments to distribute the Adwind RAT, primarily targeting Spain, Portugal, and Italy. The malware uses obfuscated scripts to download payloads disguised as images and archives, compromising mainly Windows systems. #Adwind #CERT-AGID

Keypoints

  • The campaign employs PDF attachments named Documento.pdf or Fattura.pdf containing links to cloud storage services such as OneDrive or Dropbox.
  • An obfuscated VBS or HTML script is downloaded from the cloud link, which downloads a fake PDF document alongside a large ZIP archive containing malware.
  • The ZIP archive includes a Java environment and a JAR file disguised as a PNG image (InvoiceXpress.png), executed via a CMD script (InvoiceXpress.cmd).
  • The JAR file contains a checksum used for configuration and confirms attribution to the Adwind malware family.
  • Configuration data is encrypted with AES in ECB mode but can be easily decrypted using a CyberChef recipe.
  • The domain localto.net and its subdomains, particularly on port 4414, are used as command and control servers, consistent with previous Fortinet investigations.
  • The Adwind variant in this campaign specifically targets Windows systems despite the malware’s multipurpose design.

MITRE Techniques

  • [T1566] Phishing – The threat actors sent emails with malicious PDF attachments containing links to cloud-hosted scripts (“PDF attachments named Documento.pdf or Fattura.pdf containing links to OneDrive or Dropbox”).
  • [T1204] User Execution – Victims execute the CMD script which runs the disguised JAR file (“JAR disguised as PNG image executed via CMD script InvoiceXpress.cmd”).
  • [T1105] Ingress Tool Transfer – The malware payloads are downloaded from cloud storage and ngrok.dev (“downloads from OneDrive, Dropbox, Google Drive, and ngrok.dev”).
  • [T1027] Obfuscated Files or Information – The VBS/HTML code is obfuscated but decodable (“obfuscated code that can be easily decoded”).
  • [T1064] Scripting – The use of VBS and CMD scripts to initiate payload execution (“VBS script downloads payload, CMD script runs JAR payload”).

Indicators of Compromise

  • [File Names] Malicious files – Documento.pdf, Fattura.pdf (email attachments), InvoiceXpress.png (disguised JAR), InvoiceXpress.cmd (execution script)
  • [Domains] Command and control – localto.net and subdomains, ngrok.dev (payload hosting)
  • [File Hashes] Payload samples – Multiple hashes shared with CERT-AgID, including ZIP archive of approx. 90MB

Read more: https://cert-agid.gov.it/news/distribuzione-mirata-in-italia-di-adwind/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint