FortiGuard Labs Threat Research
The Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems. Its cross-platform nature, elaborate backdoor features, and relatively cheap price makes it a favourite choice for many cybercriminals today. Earlier this year, it was reported that Adwind was used in at least 443,000 attacks.
Adwind has rebranded itself multiple times in the past, using the names “Frutas,” “AlienSpy,” and “Unrecom,” to name a few. The most recent name it used was “Jsocket,” which was put in the spotlight when reports about it circulated last February. Shortly after, JSocket appears to have closed business:
Our intelligence suggests that the perpetrators behind Adwind and JSocket have simply rebranded the tool yet again, this time using the name “JBifrost”. This post will detail our findings.
JBifrost Website Overview
Similar to its predecessor, the JBifrost website hosts a marketplace and a community forum. Subscribers now need an invitation code to access the site:
The basic membership appears to be $45 USD per month, while renewal is $40 USD. This membership allows a subscriber to download the JBifrost RAT as well as a few other plugins.
In addition, JSocket previously accepted a variety of payment methods, including PerfectMoney, CoinPayments, Advcash, and EntroMoney. For this iteration, JBifrost only accepts Bitcoin as payment:
Additional tools, such as binders and downloaders, have separate prices:
As can be seen above, the JBifrost RAT has been downloaded 1,566 times as of this writing. This more or less represents the number of users actively using the RAT.
JBifrost’s website has the same professional feel as that of JSocket’s. It provides a forum and chat box where subscribers can find tutorials for using the RAT, as well as communicate any concerns regarding their service:
The website also provides a free file scanner to help its users make sure the RAT is not detected by anti-virus products:
When did JBifrost surface?
Based on JBifrost’s change log, the first version of the RAT was released on May 15, 2016 – three months after JSocket closed business:
The latest release states that it is running version “1.1.0”. Upon executing the JBifrost client, however, it downloaded an updated copy from its server with the version number “1.1.1”. The user interface looks as follows:
In fact, the above interface is simply an updated JSocket interface:
So, what’s the difference between JBifrost and JSocket?
Based on our investigation, JBifrost includes only minor changes from its predecessor.
The current JBifrost client interface added two additional columns. One of these is a keyboard status flag that shows a green check mark if an infected user is actively using the keyboard. The other is a text column that displays the current window title of the victim:
A new module was also added to the RAT with the ID “eee.” This feature allows cybercriminals to intercept form data from Google Chrome:
A tab named “Misc” was also added to allow additional configuration for JBifrost servers:
Finally, a feature that binds JBifrost Android servers with a digital signature was added:
Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply rebranding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website.
They also appear to be more cautious since their website is only accessible to invited users, and they are using Bitcoin as their only mode of payment.
As of this writing, we can confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes. We will continue to monitor developments regarding this prominent RAT.
Fortinet detects Adwind servers, regardless of its current brand, as Java/Adwind variants.
-= FortiGuard Lion Team =-