A remote access tool (RAT) known as Adwind which has the ability to steal passwords, collect keystrokes and covertly record audio using an infected device's microphone, is currently surging through multiple countries in a fresh spam campaign, experts have warned.
In January this year, the malware had been recorded 5,286 times, however less than six months later, with the last count in June, it had spiked by 107% to 117,649 detections. That's according to statistics released by Japanese cybersecurity firm Trend Micro this week (Tuesday 11 July).
Adwind, which is also known as jRAT, AlienSpy and JSocket, is written in Java and exploits machines running Windows, Mac OSX, Linux and Android.
It is highly-adaptable and is typically sold on underground markets while packaged under the popular malware-as-a-service (MaaS) model.
In the most recent campaign, hackers – who remain unknown – are targeting the aerospace industry with Switzerland, Ukraine, Austria, and the US being the most affected countries to date, wrote Trend Micro's threat analysts Rubio Wu and Marshall Chen in a blog post.
The spam assault was reportedly deployed in two waves. The first was on 7 June 2017 and used social engineering to gain clicks before redirecting victims to a web address hosting the malware. The second was observed on 14 June, but was using a different set of domains to serve up Adwind.
As a lure, the spam email's message impersonated the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.
It was billed as urgent changes to a "charter agreement" which researchers said was designed to instil "a sense of urgency" in victims.
In social engineering, hackers can tailor email attacks against their targets. Spam messages containing malware are becoming increasingly personalised in an attempt to manipulate victims to click on links and attachments containing malicious software or spyware.
"Adwind is a cross-platform, Java-based malware," the researchers explained.
"This calls for a multi-layered approach to security that covers the gateway, endpoints, networks, servers, and mobile devices. Think before you click, be more prudent when opening unknown or unsolicited emails, and be more aware of different social engineering tactics."
Russian cybersecurity firm Kaspersky Lab said in a 2016 report that the number of Adwind infections it had spotted between 2013 and 2016 was more than 443,000. It stressed that it is not considered an "APT" attack, often used to describe state-backed hacking activity.
Last year, security firm Symantec found a variant of Adwind in a spam campaign that was capitalising on the controversial 2016 US presidential election. It promised the recipient a video of Hillary Clinton meeting with the leader of terror group Isis, but would instead infect the computer.