EXECUTIVE SUMMARY:
The JanaWare represents a coordinated ransomware-driven malware campaign that targets users through carefully crafted phishing emails and leverages a multi-stage infection chain. The attack primarily uses social engineering to trick victims into opening malicious attachments, which serve as the initial entry point. Once executed, the infection deploys a Remote Access Trojan (RAT), specifically Adwind, to establish a foothold within the compromised system. This approach allows attackers to maintain control, perform reconnaissance, and prepare for subsequent payload delivery. The campaign appears targeted in nature, focusing on specific regions and users, indicating a level of planning beyond opportunistic attacks. By combining phishing with RAT-based delivery, the adversaries ensure higher success rates and persistence before deploying the final ransomware payload.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
The JanaWare represents a coordinated ransomware-driven malware campaign that targets users through carefully crafted phishing emails and leverages a multi-stage infection chain. The attack primarily uses social engineering to trick victims into opening malicious attachments, which serve as the initial entry point. Once executed, the infection deploys a Remote Access Trojan (RAT), specifically Adwind, to establish a foothold within the compromised system. This approach allows attackers to maintain control, perform reconnaissance, and prepare for subsequent payload delivery. The campaign appears targeted in nature, focusing on specific regions and users, indicating a level of planning beyond opportunistic attacks. By combining phishing with RAT-based delivery, the adversaries ensure higher success rates and persistence before deploying the final ransomware payload.[emaillocker id="1283"]
The attack begins with a phishing email containing a malicious attachment designed to entice user interaction. Upon execution, the attachment deploys the Adwind RAT, a Java-based remote access tool capable of cross-platform operation. This RAT establishes persistence through system modifications such as registry changes or startup mechanisms, enabling it to survive reboots and maintain continuous access. It also initiates communication with command-and-control (C2) servers using application layer protocols, allowing attackers to remotely execute commands, exfiltrate information, and download additional payloads. After gaining sufficient control, the attackers deploy the JanaWare ransomware as the final stage. The ransomware encrypts files on the infected system, rendering them inaccessible to the user and effectively disrupting normal operations. Throughout the attack lifecycle, techniques such as obfuscation, process injection, and system discovery are used to evade security controls and understand the environment.
The JanaWare campaign underscores the growing sophistication of ransomware operations, where attackers employ layered techniques and multiple malware components to achieve their objectives. Instead of relying solely on direct ransomware delivery, the use of a RAT enables prolonged access, better targeting, and controlled deployment of the final payload. This significantly increases the likelihood of successful encryption and reduces the chances of early detection. The campaign also highlights the critical role of user awareness, as phishing remains the primary entry vector despite advancements in security technologies. Organizations must adopt a defense-in-depth strategy, combining email filtering, endpoint detection, network monitoring, and user training to mitigate such threats. Additionally, monitoring for unusual system behavior and unauthorized persistence mechanisms can help detect RAT activity before ransomware execution.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1598 | Phishing for Information | - |
| Resource Development | T1587 | Develop Capabilities | - |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059 | Command and Scripting Interpreter | - | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1027 | Obfuscated Files and Information | - |
| T1055 | Process Injection | - | |
| Credential Access | T1555 | Credentials from Password Stores | - |
| Discovery | T1082 | System Information Discovery | - |
| T1083 | File and Directory Discovery | - | |
| Command and Control | T1071 | Application Layer Protocol | - |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1486 | Data Encrypted for Impact | - |
REFERENCES:
The following reports contain further technical details:
https://therecord.media/new-janaware-ransomware-targeting-turkey
https://www.acronis.com/en/tru/posts/new-janaware-ransomware-targets-turkey-via-adwind-rat/
[/emaillocker]