Danish cyber-security firm Heimdal Security has detected a wave of spam email delivering malicious attachments laced with versions of the Adwind RAT (Remote Access Trojan).
The campaign took place over the weekend and according to Heimdal Security experts, it only targeted Danish companies.
Regardless of its initial scope, all spam emails were written in English, so an expansion to other countries may not take more than the push of a button somewhere in the crook's control panel.
Heimdal says the spam emails came with a file attachment named Doc-[Number].jar. A quick scan on VirusTotal reveals that no antivirus engines were able to detect the file as malicious, even if it was hiding the Adwind RAT, a four-year-old malware family.
Adwind first appeared on the market bearing the name of Frutas RAT (January 2012) and rebranded several times as Unrecom RAT (February 2014), AlienSpy (October 2014), and most recently as JSocket RAT (June 2015). Most security firms still call it Adwind, the name under which it made the most casualties.
A Kaspersky report released in February 2016, after authorities managed to shut down the crook's operation, revealed that the group behind this malware sold their toolkit to 1,800 other criminals, who then infected over 443,000 victims.
Crooks were delivering their malware in order to infect computers belonging to Danish companies.
The Adwind RAT would then open a backdoor on these infected systems and allow the crooks to take over devices, search for sensitive information and then exfiltrate it via various channels.
All computers were also added to a global botnet, which the malware's operator could have used to send spam or launch DDoS attacks if he wanted. Heimdal's team detected over eleven C&C servers used in this latest campaign.
"Online criminals seem to be turning their attention to more targeted attacks that require a smaller infrastructure to carry out. This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike," Heimdal's Andra Zaharia explains.
"Avoiding large-scale campaigns also means thay have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them."