The remote access Trojan Adwind has resurfaced and as of last weekend, is being used in spam emails targeting Danish companies, researchers said.
In emails purporting to be order requests coming from either spoofed or fake return addresses, attackers are spreading malicious .jar, or Java archive files. Assuming a user clicks through and opens the file, Adwind’s code is run, and the machine is pulled into a botnet.
According to researchers with Romania-based Heimdal Security, who described the RAT in a blog post on Monday, this iteration of Adwind communicates with a server that’s been used in other RAT campaigns that use dynamic DNS services. Command and control servers used by the RAT have been down and up over the course of its existence. Most of them rely on Dynamic DNS servers and are not real domain registrations.