Saturday, May 18, 2024

TA505 APT Hackers using New AndroMut Malware to Drop FlawedAmmyy RAT and Gain Remote Access

Researchers uncovered a new malware dropper called AndroMut from one of the infamous APT group TA505 to drop the FlawedAmmyy Remote Access Trojan gain the remote access from the infected victim’s computer.

TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks including infamous DridexLocky ransomwareServHelper malware, FlawedAmmyy, delivered through malicious email campaigns.

FlawedAmmyy is a full-featured RAT that was first observed in early 2016,  since then it was used by various cybercrime groups to attack thousands of victims around the world.

This campaign that observed by Proofpoint researchers through a spam email campaign that delivered Word or Excel file used macros to execute a Msiexec command.

AndroMut malware
Spam Email
AndroMut malware

Once the command is executed, Macro download and execute either the FlawedAmmyy loader or AndroMut. 

Another campaign targeted recipients at financial institutions in Singapore, UAE, and the USA.

According to Proofpoint researchers, “AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.”

Based on the malware observation, it resolves most of the Windows API calls at run time by hash and it using two ways to decrypt the strings.

In this case, The encrypted string is base64-decoded then decrypted with AES-256 in ECB mode.

Also, AndroMut using various anti-analysis technique and persistence technique to evade detection and make the analysis process hard to experts.

Researchers also observed some low-confidence overlaps between it and two other malware downloaders: Andromeda and QtLoader.

“Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans.  The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019.”

Indicators of Compromise (IOCs)


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles