FYI...
JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmicro.com/trendlabs...n-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmicro.com/trendlab...ind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
hxxps ://nup[.]pw/DJojQE[.]7z
hxxp ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
hxxps ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/Qcaq5e[.]jar ..."
nup .pw: 149.210.145.237: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/9d...6033/analysis/
employersfinder .com: 198.38.91.121: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/ff...9e9e/analysis/
ccb-ba .adv.br: 50.116.112.205: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/71...0c44/analysis/