Microsoft Warns about the new Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents

Microsoft uncovered a new campaign with a sophisticated infection chain delivering notorious FlawedAmmyy RAT as a final payload. The attack starts with an email that contains .XLS attachments and the contents of the email in the Korean language.

Previous campaigns that involve FlawedAmmyy RAT are carried out by TA505 threat actors, upon successful execution of backdoor let an attacker to control the machine remotely, manages the files, captures the screen.

How the Infection Occurs

Malicious .XLS file delivered through email, when the file executed it automatically runs a macro function that runs Windows Installer msiexec.exe used for download & installing MSI and MSP packages.

The downloaded MSI archive contains a digitally signed executable that is extracted and executed, it decrypts and runs another executable wsus.exe in memory, which in turn decrypts and runs the final payload in the memory.

The final payload that delivered directly in memory is the FlawedAmmyy, according to Microsoft Security Intelligence. The FlawedAmmyy digitally signed using a code signing certificate issued Thawte to the company Dream Body Limited. It appears the rat was signed and timestamped on June 19 and the samples detected on June 22.

The FlawedAmmy RAT functions

  • Remote Desktop control
  • File system manager
  • Proxy support
  • Audio Chat

Earlier this year TA505 distributed FlawedAmmyy RAT via weaponized MS Excel documents with malicious Excel 4.0 macro which is hard to detect by standard security controls.

Last October Cybercriminals used IQY Files to deliver FlawedAmmyy malware and executed the backdoor through PowerShell Process.

IoCs (SHA-256):

0e91e6e17f8c8e2f1ae29e13f116c8611cb7679607695eed355025295fb1999a (.xls),
19d8993c742fc1a7c651ab3dba4d8c7f5e142a8421e22dd0c20c2db2d5dccffd (MSI),
cb114123ca1c33071cf6241c3e5054a39b6f735d374491da0b33dfdaa1f7ea22 (digitally signed executable inside MSI)
c2c6f548fe6832c84c8ab45288363b78959d6dda2dd926100c5885de14c4708b (digitally signed wsus.exe),
6860de46fdea393bd48ca000ecff4047920a56728b7945f95a6ca0801c278097 (FlawedAmmyy RAT)

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago