Saturday, May 18, 2024

TA505 APT Hackers using New AndroMut Malware to Drop FlawedAmmyy RAT and Gain Remote Access

Researchers uncovered a new malware dropper called AndroMut from one of the infamous APT group TA505 to drop the FlawedAmmyy Remote Access Trojan gain the remote access from the infected victim’s computer.

TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks including infamous DridexLocky ransomwareServHelper malware, FlawedAmmyy, delivered through malicious email campaigns.

FlawedAmmyy is a full-featured RAT that was first observed in early 2016,  since then it was used by various cybercrime groups to attack thousands of victims around the world.

This campaign that observed by Proofpoint researchers through a spam email campaign that delivered Word or Excel file used macros to execute a Msiexec command.

AndroMut malware
Spam Email
AndroMut malware

Once the command is executed, Macro download and execute either the FlawedAmmyy loader or AndroMut. 

Another campaign targeted recipients at financial institutions in Singapore, UAE, and the USA.

According to Proofpoint researchers, “AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.”

Based on the malware observation, it resolves most of the Windows API calls at run time by hash and it using two ways to decrypt the strings.

In this case, The encrypted string is base64-decoded then decrypted with AES-256 in ECB mode.

Also, AndroMut using various anti-analysis technique and persistence technique to evade detection and make the analysis process hard to experts.

Researchers also observed some low-confidence overlaps between it and two other malware downloaders: Andromeda and QtLoader.

“Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans.  The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019.”

Indicators of Compromise (IOCs)

IOCIOC Type
hxxp://greenthumbsup[.]jp/20.06.2019_746.38.docURL
hxxp://fakers[.]co[.]jp/20.06.2019_130.22.docURL
hxxp://nagomi-753[.]jp/20.06.2019_800.77.docURL
hxxp://nanepashemet[.]com/20.06.2019_781.37.xlsURL
52f0aaff3654110e82586d21b07c8a3de23dc9efb3f4001daf412286282315c0SHA256
d0aaf465a2569abbdcbafc049be1c1a643572f4ca185058833310435bfa53358SHA256
eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275SHA256
f21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35cSHA256
3e3eb26211459eb2d8b52a2429a52e7e12d2145d7733823d7415663537a0b6caSHA256
8621fa54946096ed38aee5cbcc068c0620416a05c17328a527673e808847850dSHA256
c4963dcf6b32459740f6a3d3b4d06d9dc06f15087ca01775956df36206543301SHA256
a905838db6e6617edd9d25baaaaee9c209381d456e809081977e27c3e0b15793SHA256
59af9102a921130fd1d120f6cee7fc7cdfc28292a7a4a8c24233126604aa9443SHA256
98b584b31457b21d0d48fcc78093439638e15dd1705e54182d9aa4ffad014c3aSHA256
bb5054f0ec4e6980f65fb9329a0b5acec1ed936053c3ef0938b5fa02a9daf7eeSHA256
hxxp://kreewalk[.com:80/viewforum.phpURL
5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713aSHA256

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles