Rajas Save

Winds of Winter - MalSpam Delivers Adwind RAT 2-1-2018

Blog Post created by Rajas Save Employee on Feb 5, 2018

On February 1st 2018, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.




VirusTotal Analysis of delivery document paymentorder.doc confirms presence of RTF exploit.



After opening the document in a vulnerable Microsoft Word application, a connection is established to “pgamix[.]com” to download a malicious executable payload, using shell code present in RTF file,  which kicks off the following network events.



VirusTotal Analysis of final payload “babawire.jar” confirms that it’s Adwind, a Java based Remote Access Trojan (RAT). Adwind RAT is a multifunctional malware program and it is distributed through a single malware-as-a-service platform.


This file is a compressed stream containing 168 files. It imports multiple java packages required for execution of the Trojan.




Current RSA NetWitness detection populates following meta for the download sessions:



Although we didn't achieve a full detonation in our own sandbox, post-infection traffic from  Malware-Traffic-Analysis.net populates following meta for the download sessions with Current RSA NetWitness detection:




More detailed information about CVE-2012-0158 can be found here:

Triaging Malicious Microsoft Office documents CVE-2012-0158 


Thanks go to Kevin Stear and Ahmed Sonbol for contributing to this threat advisory.