Thursday, March 28, 2024

TA505 APT Hackers using New AndroMut Malware to Drop FlawedAmmyy RAT and Gain Remote Access

Researchers uncovered a new malware dropper called AndroMut from one of the infamous APT group TA505 to drop the FlawedAmmyy Remote Access Trojan gain the remote access from the infected victim’s computer.

TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks including infamous DridexLocky ransomwareServHelper malware, FlawedAmmyy, delivered through malicious email campaigns.

FlawedAmmyy is a full-featured RAT that was first observed in early 2016,  since then it was used by various cybercrime groups to attack thousands of victims around the world.

This campaign that observed by Proofpoint researchers through a spam email campaign that delivered Word or Excel file used macros to execute a Msiexec command.

AndroMut malware
Spam Email
AndroMut malware

Once the command is executed, Macro download and execute either the FlawedAmmyy loader or AndroMut. 

Another campaign targeted recipients at financial institutions in Singapore, UAE, and the USA.

According to Proofpoint researchers, “AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.”

Based on the malware observation, it resolves most of the Windows API calls at run time by hash and it using two ways to decrypt the strings.

In this case, The encrypted string is base64-decoded then decrypted with AES-256 in ECB mode.

Also, AndroMut using various anti-analysis technique and persistence technique to evade detection and make the analysis process hard to experts.

Researchers also observed some low-confidence overlaps between it and two other malware downloaders: Andromeda and QtLoader.

“Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans.  The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019.”

Indicators of Compromise (IOCs)

IOCIOC Type
hxxp://greenthumbsup[.]jp/20.06.2019_746.38.docURL
hxxp://fakers[.]co[.]jp/20.06.2019_130.22.docURL
hxxp://nagomi-753[.]jp/20.06.2019_800.77.docURL
hxxp://nanepashemet[.]com/20.06.2019_781.37.xlsURL
52f0aaff3654110e82586d21b07c8a3de23dc9efb3f4001daf412286282315c0SHA256
d0aaf465a2569abbdcbafc049be1c1a643572f4ca185058833310435bfa53358SHA256
eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275SHA256
f21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35cSHA256
3e3eb26211459eb2d8b52a2429a52e7e12d2145d7733823d7415663537a0b6caSHA256
8621fa54946096ed38aee5cbcc068c0620416a05c17328a527673e808847850dSHA256
c4963dcf6b32459740f6a3d3b4d06d9dc06f15087ca01775956df36206543301SHA256
a905838db6e6617edd9d25baaaaee9c209381d456e809081977e27c3e0b15793SHA256
59af9102a921130fd1d120f6cee7fc7cdfc28292a7a4a8c24233126604aa9443SHA256
98b584b31457b21d0d48fcc78093439638e15dd1705e54182d9aa4ffad014c3aSHA256
bb5054f0ec4e6980f65fb9329a0b5acec1ed936053c3ef0938b5fa02a9daf7eeSHA256
hxxp://kreewalk[.com:80/viewforum.phpURL
5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713aSHA256

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles