FlawedAmmyy RAT Takes Over Desktops

itman · Mar 7, 2018

A previously undocumented remote access Trojan (RAT) called FlawedAmmyy has been discovered as the payload in two massive email campaigns this week.

Proofpoint researchers discovered that the RAT has actually been used since the beginning of 2016 in both highly targeted email attacks and massive, multi-million message campaigns. Narrow attacks targeted the automotive industry, among others, while the large, malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks using Dridex, Locky and GlobeImposter, among others, over the last four years.

In the most recent campaigns, on March 5 and 6, email messages containing zipped URL attachments were sent from addresses spoofing the recipient’s own domain, with subjects such as “Receipt No” with random digits following, with matching attachments.

The URL files are interpreted by Microsoft Windows as internet shortcut files, but when clicked, they download and execute a JavaScript file over the Server Message Block (SMB) protocol; the JavaScript file in turn downloads Quant Loader and then FlawedAmmyy RAT as the final payload.
Click to expand...

https://www.infosecurity-magazine.com/news/flawedammyy-rat-takes-over-desktops/

A bit more detail from the ProofPoint article:

The .url files are interpreted by Microsoft Windows as “Internet Shortcut” files [1], examples of which can be found in the “Favorites” folder on Windows operating systems. This type of file can be created manually [2]; they are intended to serve as links to internet sites, launching the default browser automatically. However, in this case the attacker specified the URL to be a “file://” network share instead of the typical http:// link. As a result, the system downloads and executes a JavaScript file over the SMB protocol rather than launching a web browser if the user clicks “Open” on the warning dialog shown in Figure 3.
Click to expand...

https://www.proofpoint.com/us/threa...ource-code-ammyy-admin-turned-flawedammyy-rat

Great example of SMB being used malicious - no exploit needed.

SKA · Mar 7, 2018

Is it possible to disable SMB all versions in Windows 7 Pro/Ultimate and W10 Pro ?
How ?

Thanks for any tips/links
Ska

itman · Mar 9, 2018

SKA said: ↑

Is it possible to disable SMB all versions in Windows 7 Pro/Ultimate and W10 Pro ?
How ?
Click to expand...

The same recommendation for previous SMB based attacks applies to this attack. That is port 137-139 and 445 inbound and outbound traffic be limited by firewall to local network IP addresses; i.e usually 192.160.0.0 - 192.168.0.255 or 192.160.1.0 - 192.168.1.255. This is especially true for Win 7 where port 445 is not locked down as it is in later Win OS vers..

Also care needs to taken not to block any security solution localhost proxy connections through these ports in so employed.

Additional mtigations would be to use a security solution with IDS protection and configure it to deny access to Admin shares via SMB protocol.

guest · Mar 2, 2019

FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle
March 2, 2019
https://securityaffairs.co/wordpress/81857/malware/flawedammyy-undetected-xlm-macros.html

SI-LAB has observed that Threat Actor (TA) 505 is now spreading the infamous FlawedAmmyy remote control backdoor using an old technique that is evading AV detection. The threat is only detected later when an MSI file (Windows installer) drops and execute the first infection stage of the malware.

Malicious XLM macro code is located within a hidden form to avoid the attention of the victims.
The macro makes several string concatenations and executes via a pivot msiexec.exe process. This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs.

The xls sample was submitted onto the Virus Total but no detections were noted.
Microsoft is now using the Antimalware Scanning Interface (AMSI) with Office 365 for scanning VBA macros. Since XLM macros have nothing to do with the VBA engine, we suspected that XLM could be used to circumvent AMSI.
Click to expand...

guest · Jun 25, 2019

Microsoft Warns about the new Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents
June 25, 2019
https://gbhackers.com/microsoft-warns-flawedammyy-rat/

Microsoft uncovered a new campaign with a sophisticated infection chain delivering notorious FlawedAmmyy RAT as a final payload. The attack starts with an email that contains .XLS attachments and the contents of the email in the Korean language.
How the Infection Occurs
Malicious .XLS file delivered through email, when the file executed it automatically runs a macro function that runs Windows Installer msiexec.exe used for download & installing MSI and MSP packages.
The downloaded MSI archive contains a digitally signed executable that is extracted and executed, it decrypts and runs another executable wsus.exe in memory, which in turn decrypts and runs the final payload in the memory.

The FlawedAmmyy digitally signed using a code signing certificate issued Thawte to the company Dream Body Limited. It appears the rat was signed and timestamped on June 19 and the samples detected on June 22.
Click to expand...

Log in or Sign up

FlawedAmmyy RAT Takes Over Desktops

itman Registered Member

SKA Registered Member

itman Registered Member

guest Guest

guest Guest

Log in or Sign up

FlawedAmmyy RAT Takes Over Desktops

itman Registered Member

SKA Registered Member

itman Registered Member

guest Guest

guest Guest

Useful Searches