Cisco Blogs

Adwind Dodges AV via DDE

September 24, 2018 - 0 Comments

This blog post is authored by Paul RascagneresVitor Ventura and with the contribution of Tomislav Pericin and Robert Perica from ReversingLabs.


Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software.

The majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud security platform. After our research, we have discovered important details about this attack, as well as the malicious, forged Microsoft Office documents that the attackers are using.

More information

Leave a comment

We'd love to hear from you! Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.