Hackers use Java RAT to target Indian banks


Hackers targetting Indian Banks with Java RAT trojan, Adwind Java RAT infects Java installed on Windows, Linux, and Mac run PC/laptops

You are not the only one who feels that hacking attacks have suddenly witnessed an exponential rise in these depressing coronavirus pandemic times. If you look at the news, you will see hack attacks, data breaches, RATs, Trojans, Malware grabbing the headlines. Indian banks are a luscious target for hackers, especially the co-operative banks in India. Now Quickheal researchers have found a new trojan “Adwind Java RAT” which targets Java installed on Windows/macOS/Linux PCs running in the Indian banks.

According to a report by QuickHeal the Adwind Java Rat deliberately targets co-operative banks in remote places of India. The co-operative banks in India are small banks and usually don’t have any large trained IT and cybersecurity teams to handle cyberattacks.

According to researchers, these small banks are targetted through social engineering and phishing emails. The hackers send emails that refer to the new RBI guidelines for banks during COVID-19 and have an attached zip file. The email subject and the attachment which the cybercriminals send are as follows:

Email Subjects:

  • Urgent – COVID measures monitoring template
  • Query Reports for RBI INSPECTION
  • Moratorium
  • FMR returns
  • Assessment Advice-MH-603
  • [874890897] – MIS for NEFT/RTGS, 06-04-2020 [1]
  • Deal confr.
  • DI form

Attachment Names:

  • Covid_19_measures_Monitoring_Template-Final_xlsx.zip
  • NSBL-AccListOnTheBasisOfKYCData_0600402020_pdf.zip
  • Gazette notification&RBI_Directives_file-00000120_pdf.zip
  • Fmr-2_n_fmr_3_file_000002-pdf.zip
  • MON01803_DIC_pdf.zip
  • SHRIGOVARDHANSING0023JI001_pdf.zip
  • DI_form_HY_file_00002_pdf .zip

The Quickheal team took apart the zip file and discovered that it contains a malicious JAR file. The JAR file is a remote admin trojan that can be run on any machine installed with Java including windows, Linux, and Mac. Once executed, the JAR file implants the ADWIND Java RAT and infects the Java software running on the PC/laptop.

Once the user opens the attachment, the malicious payload persists itself by modifying the registry key and dropping a JAR file in %appdata% location. This JAR has multi-layer obfuscation to make analysis hard and bypass detection from AV products. Upon execution, this JAR file transforms into a Remote admin tool (JRat) which can perform various malicious activities such as keylogging, capturing screenshots, downloading additional payloads, and getting user information. The RAT then proceeds to steal the information about the bank customers including their account details/passwords and sends them to its command and control server.

Quick Heal recommends that employees in banks should take necessary security measures and avoid opening the attachments attached in the emails from unknown sources.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments