The Legend of Adwind: A Commodity RAT Saga in Eight Parts

In early 2012, a developer started selling the first of the Adwind family, Java-based remote access tools (RATs), called “Frutas.” In the ensuing years, it has been rebranded at least seven times. Its other names have included Adwind, UnReCoM, Alien Spy, JSocket, JBifrost, UnknownRat, and JConnectPro.

The Adwind RAT family remains prevalent in the wild. Palo Alto Networks has collected over 45,000 samples from the various Adwind iterations. We have observed these samples used in over 2 million attacks against Palo Alto Networks customers since 2017, highlighting the high impact of this popular commodity RAT.

The first six iterations of the multi-platform Adwind RAT family have been exhaustively documented, so we will not rehash analysis of the RAT itself. This piece describes two hitherto undocumented recent rebrandings: “Unknown RAT” and “jConnect Pro RAT and clarifies some misconceptions. We have identified the author of this commodity malware, demonstrating that ownership of this RAT under its various monikers never actually changed.

Read more…
Source: Palo Alto Networks