FlawedAmmyy RAT Campaign Puts New Spin on Old Threat

  /     /     /  
Publicated : 22/11/2024   Category : security


FlawedAmmyy RAT Campaign Puts New Spin on Old Threat


A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.



A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.
Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.
The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isnt the first time Ammyy Admin has been abused; a
July 2016 attack
also used it to conceal malware.
FlawedAmmy has the same functionality as the softwares leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.
Messages in the early March campaigns were sent from addresses spoofing the recipients domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be file:// network shares instead of http:// links. Because of this, when the user clicks Open, the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.
The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload.
Researchers say
this is the first time theyve ever seen the combination of .url files and SMB protocol downloads. That which is old is new again, says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.
Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesnt look like a link, and using that to obtain a file over SMB instead of http, is an intricate and new approach to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.
Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.
The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware, he continues. When youre not getting paid as much, you seek other sources of revenue.
Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.
We see more mechanisms like this, with effectively intricate social engineering, he explains. None of the FlawedAmmyy attacks work without a human taking action. Further, unless they remember opening the malicious email and clicking the link, theres virtually nothing a user would see that would give the Trojan away once its on the target machines.
For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people dont think twice about opening documents disguised as bills or invoices, which these often are. If you werent expecting it, think twice about opening it.
Enable is a dangerous word, Epstein notes. No bill or invoice youre receiving should require you to enable anything.
The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. Think like a business and put yourself in the shoes of the attacker, says Epstein. The best defense is anything that increases their cost of doing business.
Related Content:
What Happens When You Hold Robots for Ransom?
Slingshot Cyber Espionage Campaign Hacks Network Routers
North Korea Threat Group Targeting Turkish Financial Orgs
Olympic Destroyers False Flag Changes the Game
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018
agenda here
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FlawedAmmyy RAT Campaign Puts New Spin on Old Threat