Recently, cybersecurity company Proofpoint discovered a previously unreported remote-access Trojan (RAT) and named it “Flawed Ammyy,” which allows an attacker to gain full access to an infected computer.
Since January 2016, Flawed Ammyy has been spreading emails distributed through phishing campaigns. These phishing campaigns often use large-scale batch delivery to distribute e-mail to target a large number of different targets at the same time, but it does not rule out high-targeted attacks. For example, on January 16 this year, there was a highly targeted phishing campaign targeting the automotive industry.
FlawedAmmyy recently appeared in large-scale phishing campaigns on March 5th and 6th this year. The emails distributed during the event use a zip file as an attachment. It is named after the English word “Bill” or “Invoice” combined with a set of random numbers. Obviously, the sender wants to use fake bills and invoices as bait to trick the recipient to download and open the attachment.
Based on the content of the e-mail and the mode of dissemination, the operating team behind the Flawed Ammyy is considered to be the TA505, a hacking organization that has been active since 2014. In the past few years, the organization has successfully launched many large-scale cyber attacks by using bank Trojan Dridex and ransomware Locky and Jaff as attack tools.
The zip file contains an url file. Through parsing, we can see that the file content contains a link for downloading malicious JavaScript scripts. The url file is interpreted as an “Internet Shortcuts” file on Windows systems. For an example, you can find it in the “Favorites” folder of the Windows operating system. Normally, after double-clicking on this file, the web browser will launch and automatically respond to the web page.
However, when the recipient double-clicks on the url file, an alert window will be displayed. If “Open” is selected, the system will download and execute the JavaScript script file by calling the SMB protocol instead of launching the web browser.
This JavaScript script, in turn, downloads a loader, which is then downloaded by the loader and installs Flawed Ammyy on the infected computer.
According to Proofpoint, Flawed Ammyy builds on the source code of the third version of the leaked remote desktop software Ammyy Admin (a legitimate application). This makes it include some features of Ammyy Admin, such as remote desktop control, file system management, proxy support, and audio chat.
Source, Image: Proofpoint
