Monday, July 15, 2024

Beware !! Hackers Deliver FlawedAmmyy RAT via Weaponized Microsoft Word and PDF Documents

Cybercriminals spreading powerful FlawedAmmyy RAT via Weaponized Microsoft Word and PDF Attachments to spy victims device and steal the sensitive information Remotely.

Hackers always lookout for legitimate programs or application to evade detection and to execute code with minimal user interaction.

Matt Nelson from SpecterOps recently published research on how attackers could abuse “.SettingContent-ms” file formats to run arbitrary commands on the latest version of windows.

Bad Actors Adopted  – FlawedAmmyy RAT

The SettingContent-ms file introduced in Windows 10, it is an XML document used to create shortcuts to various Windows 10 setting pages. Proofpoint researchers observed TA505 hacking group using this new technique to spread FlawedAmmyy RAT.

Threat actors embed the SettingContent-ms file inside the Microsoft Word and PDF documents. “The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it.”

So if the users open a PDF file attachment with an embedded SettingContent-ms file, then windows would automatically run SettingContent-ms file and the PowerShell command contained within the “DeepLink” which leads to download and execute the FlawedAmmyy RAT.

The FlawedAmmy RAT functions
Remote Desktop control
File system manager
Proxy support
Audio Chat

Researchers observed the campaign first on June 18 and later on July 16 a large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.

“TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale. We will continue to monitor ways in which threat actors use this approach in the weeks to come.” Proofpoint researchers said.

To best way to defend this attack is to block.SettingContent-ms, with the Microsoft recent update on the list of dangerous files to block within Office 365 documents, “.SettingContent-ms” file has been added.

Also Read:

Beware of FlawedAmmyy-RAT that Steals Credentials and Record Audio Chat

Beware!! Google Map Vulnerability Allows an Attacker to Redirect Victims into Malicious Websites

Powerful APT Malware “Slingshot” Performs Highly Sophisticated Cyber Attack to Compromise Router


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles