Accelerate your SSE journey. Join Netskope at RSA.

  • Security Service Edge Products

    Protect against advanced and cloud-enabled threats and safeguard data across all vectors.

  • Borderless SD-WAN

    Confidently provide secure, high-performance access to every remote user, device, site, and cloud.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report Go to Products Overview
Netskope gartner mq 2022 sse leader
Gartner® Quick Answer: How Does Netskope’s Acquisition of Infiot Impact SD-WAN, SASE, and SSE Projects?

Get the report
Gartner quick answer
Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform
Birds eye view metropolitan city
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more
Lighted highway through mountainside switchbacks
Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more
Lighting storm over metropolitan area
Zero trust solutions for SSE and SASE deployments

Learn more
Boat driving through open sea
Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
Wind turbines along cliffside
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn more
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn more
Group of young professionals working
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Episode 10: Building Security Relationships Through Transparency
In this episode, Mike and Andreas discuss aligning with works councils, forging business relationships through transparency, and embedding security into value streams.

Play the podcast
Building Security Relationships Through Transparency
Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
Netskope at RSA

Join Netskope at RSA Conference this year and be part of the real conversations on SASE and Zero Trust. Stop by our booth in South Hall, chat with an expert, register for our speaking sessions, and unwind by joining us at one of our events!

Learn more
RSA logo
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
Four-way roundabout
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more
Curvy road through wooded area
Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more
Switchback road atop a cliffside
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Group of diverse young professionals smiling

New Adwind Campaign targets US Petroleum Industry

Oct 01 2019

A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection. We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month. We have previously reported the use of this RAT targeting the retail and hospitality industry

The overall functionality of the RAT has remained the same as our previous post: It achieves persistence through registry modifications, performs process injection to stay under the radar, terminates security services (e.g., firewall, AV), and steals sensitive data. The major change is in the obfuscation technique, wherein multiple embedded JAR archives are used before unpacking the actual payload. Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1. This blog post provides an analysis of the new campaign and the new obfuscation techniques.

Responsible Disclosure

The URLs hosting the Adwind RAT were reported to Westnet on September 9th, 2019.

Analysis Details

We discovered the new campaign serving the Adwind RAT JAR payload from “members[.]westnet[.]com[.]au/~joeven/”. Westnet is an Australian ISP. The attacker is either a Westnet user or has compromised the account of one or more Westnet users. The same RAT is being hosted by multiple other Westnet users. Some of the recent uploads have multiple file extensions (*.png.jar.jar) to hide the actual file-type visibility from the target user. We have listed some of the current upload directories in the Indicators of compromise section. At the time of writing, the links were still active.

When the victim executes the payload, there are multiple levels of JAR extractions that occur. Figure 1 below summarizes the execution stages at a high level. 

Figure 1: Process execution stages involved in Adwind’s infection chain 

Step 1

The dropped JAR payload executes and creates the parent java process and copies itself into the %User% directory. Once the copy is created, the java thread performs the following three actions:

  • Executes the copy
  • Creates a registry entry in HKCU/CurrentVersion/Run to maintain persistence
  • Creates WMI scripts in %temp% and launches them. These scripts, shown in Figure 2, disable firewall and antivirus services.

Figure 2: WMI scripts created by the first stage JAR payload.

Step 2

The new JAR dropped in Step 1:

  • Performs AES decryption routine on an embedded object to construct the Step 3 JAR 
  • Writes the Step 3 JAR in the %temp% directory and executes it as a new java thread.

Figure 3 below shows the decompiled class files implementing the decryption routine on an object named “_”. 

Figure 3: Embedded object which decrypts to JAR file with the JRAT class

Step 3

The Step 3 JAR loads the JRAT class.

Step 4

This JRAT class is responsible for loading and linking the DLL which contains the major RAT functionality. It then tries connecting to its command and control server at 185[.]205[.]210[.]48. The JRAT class contains multiple levels of obfuscations within itself in order to hide its features and functionality. 

When we last blogged about it, the RAT was cross-platform and supported Windows, Linux, and Mac. Figure 4 below shows the OS check implemented by JRAT, indicating that the cross-platform support hasn’t changed. 

Figure 4: JRAT class checking for OS environment

The core functionalities of the RAT is shown in Figure 4 below. Some of the highlight features include:

  • Capturing webcam images
  • Scanning the hard-drive for files based on extensions defined in RAT’s config.
  • Spinning up multiple process threads and performing injection into known legitimate windows processes. 
  • Monitoring system status.
  • Encrypting and exfiltrating the data to its command and control server.

Figure 5: Netskope Advanced Heuristic dashboard listing key features of the RAT.

Conclusion

The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58. These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.

Indicators Of Compromise

IOCTypeDescription
3bdfd33017806b85949b6faa7d4b98e4HashWMI script created by Malware
a32c109297ed1ca155598cd295c26611HashWMI script created by Malware
a9175094b275a0aaed30604f7dceeb14HashFirst level JAR payload
781fb531354d6f291f1ccab48da6d39fHashDecrypted JAR file
0b7b52302c8c5df59d960dd97e3abdafHashDLL file created by the JAR
185.205.210.48IPCommand and Control IP
huup://members[.]westnet[.]com[.]au/~philchief/URLPages serving the malicious JAR payload
huup://members[.]westnet[.]com[.]au/~lionsnortham/URLPages serving the malicious JAR payload
huup://members[.]westnet[.]com[.]au/~mcleodart/URLPages serving the malicious JAR payload
huup://members[.]westnet[.]com[.]au/~jbush/URLPages serving the malicious JAR payload
huup://members[.]westnet[.]com[.]au/~joeven/URLPages serving the malicious JAR payload
huup://members[.]westnet[.]com[.]au/~howrahnursery_nbn/URLPages serving the malicious JAR payload