FlawedAmmyy RAT Takes Over Desktops (email attacks and massive, multi-million message campaigns)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A previously undocumented remote access Trojan (RAT) called FlawedAmmyy has been discovered as the payload in two massive email campaigns this week.

Proofpoint researchers discovered that the RAT has actually been used since the beginning of 2016 in both highly targeted email attacks and massive, multi-million message campaigns. Narrow attacks targeted the automotive industry, among others, while the large, malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks using Dridex, Locky and GlobeImposter, among others, over the last four years.

In the most recent campaigns, on March 5 and 6, email messages containing zipped URL attachments were sent from addresses spoofing the recipient’s own domain, with subjects such as “Receipt No” with random digits following, with matching attachments.

The URL files are interpreted by Microsoft Windows as internet shortcut files, but when clicked, they download and execute a JavaScript file over the Server Message Block (SMB) protocol; the JavaScript file in turn downloads Quant Loader and then FlawedAmmyy RAT as the final payload.

The FlawedAmmyy RAT also appeared on March 1 in a narrowly targeted attack.

“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more,” Proofpoint researchers said in a blog. “We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top