Toward the end of 2018, cybersecurity experts have noticed a surge in the number of spam emails around the world. Although Adwind was originally targeting businesses, the new RAT - also known as AlienSpy, Frutas, Unrecom, JSocket, and jRat - is no longer picky. It is going after consumer and business PCs and Macs.
Adwind is a multi-platform remote access trojan written in Java, which means it will work wherever Java is supported, including Windows, Mac, Linux, and Android. Although Apple stopped including Java as a core part of the operating system years ago, there is still a risk, especially given the new adaptations of the trojan.
What is Adwind RAT?
As with any trojan software, phishing email campaigns are used to encourage any who receive them to click or download something containing the harmful virus. Once Adwind RAT is on your Mac, it connects to the command-and-control server to download further malicious payloads.
Once it is on your Mac, Adwind RAT can collect and steal keystrokes and other data submitted via webforms, and anything you type on your computer, including passwords. It is also capable of recording screenshots, taking control of your speakers and webcam. Those controlling access illegally can steal files and take control and modify system files.
For those who invest in cryptocurrencies, there are added risks. Adwind RAT has been upgraded to steal cryptographic keys that give users access to cryptographic wallets. Effectively giving those behind this a back-door into your crypto investments and savings.
Typically, it enters your Mac in this way:
When it was originally discovered, over 400,000 devices across every platform were known to be infected. It was discovered across the U.S., India, Turkey, Europe and Hong Kong. The creators were focused on a variety of industries and sectors, including finance, manufacturing, shipping and telecoms. Although it seems to scope has been widened to include consumers, with the aim of harvesting as much useful information as possible for financial gain and malicious purposes.
Adwind malware is nasty, and not something you want running around on your Mac.
The new version - 3.0 - has put an effort into avoiding detection through antivirus software. It is also bypassing traditional security methods using a Dynamic Data Exchange (DDE) code injection attack, corrupting Excel and other Microsoft products. Recent victims are emerging in Germany and Turkey, with a strong probability that many thousands of devices are already infected around the world.
How to remove Adwind?
One way to protect yourself is to watch out for emails containing .CSV and .XLT attachments. Also watch out for any attachments with extensions including .HTM, .XCL and .DB. Especially if you don't recognize the email or sender. All of these file formats are opened using Excel or Numbers on a macOS device by default, therefore potentially giving Adwind RAT access to your Mac.
Unlike the original version, this new adaptation of the trojan malware is doing its best to avoid detection and confuse antivirus software. Sending attachments without file name is one way of doing that. This way, antivirus sees these files as corrupt, although macOS Numbers and Microsoft Excel won’t detect that the attachment is a fake.
If someone then downloads a file and ignores the usual warnings, it will be opened and the trojan payload will be downloaded using a Java archive file.
Removing Adwind RAT manually can be tricky and take some time. You have to go digging in files buried deep in your Mac to find applications and folders that look out of place, then remove them. Restarting your Mac after doing this should help, but you can’t know for certain that it is gone.
Another way is to use antivirus software. Not all of them are equipped to remove Adwind RAT. And for some you need to upgrade to ensure removal is complete.
Or take a shortcut: Use a dedicated app uninstaller
There are many fake Mac cleaner tools that claim to remove viruses but only a few of them do work as advertised. One from the legit camp is CleanMyMac. I've been using it since the first version and confirm that it does remove junk quite effectively. It goes after those small virus leftovers that ordinary user can't access. This app is notarized by Apple which means it doesn't have any malicious components. Thus, you'll be safe cleaning your Mac using it.
Download CleanMyMac X (free version) and use its Malware Removal tool. Here is how it looks in action:
CleanMyMac X will scan for all known versions of Adwind RAT. Once the scan is complete, it will show you what is lurking inside your Mac. Click Remove, then Adwind will disappear for good.
Adwind RAT is a nasty piece of malware. Hidden in seemingly innocent Excel files, Adwind is looking to steal everything from video and audio to screenshots and cryptographic keys. It can bypass antivirus software; although if you don’t have Java enabled on your Mac, and it doesn’t trick you into downloading it, you should be safe. But you can never be too careful. Don’t risk infection by downloading something you aren’t 100% sure of, and use the right tools to scan your Mac often enough to remove threats such as Adwind RAT.