Microsoft issued a warning about an active spam campaign that tries to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.
The Microsoft Security Intelligence Twitter account explained in a thread that a currently active campaign "employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory."
Attacks will start after the victims open the attached .xls file that "automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory."
The executable will proceed to download and decrypt yet another malware payload named wsus.exe and digitally signed on June 19. This is the dropper which will decrypt and launch the attack's final malicious payload directly into the compromised computer's memory.
As discovered by Microsoft Security Intelligence, the payload is the FlawedAmmyy remote access Trojan, one of the favorite tools of a cybercriminal group named TA505 by Proofpoint which started dropping as part of spam campaigns targeting retailers and financial institutions. [1, 2, 3]