Toward the end of 2018, cybersecurity experts noticed a surge in the number of spam emails around the world. Although Adwind was originally targeting businesses, the new RAT — also known as AlienSpy, Frutas, Unrecom, JSocket, and jRat — is no longer picky. It is going after consumer and business PCs and Macs.
Adwind is a multi-platform remote access trojan written in Java, which means it will work wherever Java is supported, including Windows, Mac, Linux, and Android. Although Apple stopped including Java as a core part of the operating system years ago, there is still a risk, especially given the new adaptations of the trojan.
What is Adwind RAT?
As with any trojan software, phishing email campaigns are used to encourage anyone who receives them to click or download something containing the harmful virus. Once Adwind RAT is on your Mac, it connects to the command-and-control server to download further malicious payloads.
Once it is on your Mac, Adwind RAT can collect and steal keystrokes and other data submitted via web forms as well as anything you type on your computer, including passwords. It is also capable of recording screenshots and taking control of your speakers and webcam. Those illegally controlling access can steal files or gain control of system files and modify them.
For those who invest in cryptocurrencies, there are added risks. Adwind RAT has been upgraded to steal cryptographic keys that give users access to cryptographic wallets, effectively giving those behind this a backdoor into your crypto investments and savings.
Typically, it enters your Mac this way:
When it was originally discovered, over 400,000 devices across every platform were known to be infected. It was reported across the U.S., India, Turkey, Europe, and Hong Kong. Its creators were focused on a variety of industries and sectors, including finance, manufacturing, shipping, and telecoms. However, it seems that the scope has been widened to include consumers with the aim of harvesting as much useful information as possible for financial gain and malicious purposes.
Adwind malware is nasty and not something you want running around on your Mac.
The new version — 3.0 — has put effort into avoiding detection through antivirus software. It is also bypassing traditional security methods using a Dynamic Data Exchange (DDE) code injection attack and corrupting Excel and other Microsoft products. Recent victims are emerging in Germany and Turkey, with a strong probability that many thousands of devices around the world are already infected.
How to remove Adwind?
One way to protect yourself is to watch out for emails containing .CSV and .XLT attachments. Also, be cautious of any attachments with extensions including .HTM, .XCL and .DB, especially if you don’t recognize the email or sender. All of these file formats are opened using Excel or Numbers on a macOS device by default, therefore potentially giving Adwind RAT access to your Mac.
Unlike the original version, this new adaptation of the trojan malware is doing its best to avoid detection and confuse antivirus software. Sending attachments without file names is one way of doing that. In this case, antivirus sees these files as corrupt, although macOS Numbers and Microsoft Excel won’t detect that the attachment is fake.
If someone then downloads a file and ignores the usual warnings, it will be opened, and the trojan payload will be downloaded using a Java archive file.
Removing Adwind RAT manually can be tricky and take some time. You have to go digging in files buried deep in your Mac to find applications and folders that look out of place and then remove them. Restarting your Mac after doing this should help, but you can’t know for certain that it is gone.
Another way is to use antivirus software. Not all of them are equipped to remove Adwind RAT. And for some, you need to upgrade to ensure the removal is complete.
Or take a shortcut: Use a dedicated app uninstaller
There are many fake Mac cleaner tools that claim to remove viruses, but only a few of them do work as advertised. One from the legit camp is CleanMyMac X. I’ve been using it since the first version and confirm that it does remove junk quite effectively. It goes after those small virus leftovers that ordinary users can’t access. This app is notarized by Apple, which means it doesn’t have any malicious components. Thus, you’ll be safe cleaning your Mac using it.
Download CleanMyMac X (free version) and use its Malware Removal tool. Here’s how it looks in action:
CleanMyMac X will scan your Mac for all known versions of Adwind RAT. Once the scan is complete, it will show you what is lurking inside your Mac. Click Remove, then Adwind will disappear for good.
Adwind RAT is a nasty piece of malware. Hidden in seemingly innocent Excel files, Adwind is looking to steal everything from video and audio to screenshots and cryptographic keys. It can bypass antivirus software. Still, if you don’t have Java enabled on your Mac, and it doesn’t trick you into downloading it, you should be safe. But you can never be too careful. Don’t risk infection by downloading something you aren’t 100% sure of, and use the right tools to scan your Mac often enough to remove threats like Adwind RAT.