TA505 spreads FlawedAmmyy RAT by editing SettingContent-ms on PDF files

The well-known financial criminal group TA505 has manipulated a large-scale spam campaign that uses a brand new carrier to spread the FlawedAmmyy RAT, which contains a weaponised PDF of malicious SettingContent-ms files.

The SettingContent-ms file format introduced in Windows 10; it allows users to create “shortcuts” for various Windows 10 settings pages.

The code for this method also runs under the radar, and maliciously crafted files bypass only specific Windows 10 defences, such as attack surface reduction (ASR) and detecting dangerous file formats embedded in OLE. Of course, having a victim open a funky file format attached to an email can be a challenge, so attackers have begun inserting these formats into attachments that look even more harmless.

Therefore, SpecterOps researchers in June found that someone abused the SettingContent-ms file format in Microsoft Word documents. Subsequently, last week, Proofpoint researchers observed that this method has evolved and is being extended to PDF documents—a new technology that was previously unknown.

“On July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file. The messages in the campaign used a simple lure asking the user to open the attached PDF,” Proofpoint researchers report.

When you open the file, Adobe Reader displays a warning asking the user if they want to open the file because it tries to run the embedded “downl.SettingContent-ms” via JavaScript, just like any file format embedded in the PDF. If the target victim clicks OK, the PowerShell command included in the <DeepLink> element will deploy the FlawedAmmyy RAT.

The RAT has been active since 2016 and was only included in the scope of research by researchers earlier this year. The RAT is based on the leaked source code of Ammyy Admin Remote Desktop Software version 3, which includes remote desktop control, file system manager, proxy support and audio chat.

“For infected individuals, the attacker has full access to their computer, enabling threat actors to access various services, stealing files and credentials, etc. We saw FlawedAmmyy in two large-scale events. It may create large-scale attacks and targeted activities that provide opportunities for actors to steal customer data, proprietary information, etc.”

The basis for judging these activities to the financial criminal group TA505 is email messages, payloads, and other identifying features. The TA505 launched a large-scale malspam campaign to distribute a range of payloads using the Necurs botnet, including Dridex Bank Trojans, Locky ransomware, Jaff ransomware, Trick Bank Trojans, and several other payloads. It runs a variety of C&C servers, giving it the flexibility to remove, sinkholes and other defence operations.

The Proofpoint researchers said, “TA505 tends to operate at very large scale and sets trends among financially motivated actors because of their reach and campaign volumes. Our attribution is based on email messages, as well as payload and other identifying characteristics.”

Source, Image: Proofpoint