TA505 APT Hackers using New AndroMut Malware to Drop FlawedAmmyy RAT and Gain Remote Access

Researchers uncovered a new malware dropper called AndroMut from one of the infamous APT group TA505 to drop the FlawedAmmyy Remote Access Trojan gain the remote access from the infected victim’s computer.

TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks including infamous Dridex, Locky ransomware, ServHelper malware, FlawedAmmyy, delivered through malicious email campaigns.

FlawedAmmyy is a full-featured RAT that was first observed in early 2016,  since then it was used by various cybercrime groups to attack thousands of victims around the world.

This campaign that observed by Proofpoint researchers through a spam email campaign that delivered Word or Excel file used macros to execute a Msiexec command.

Once the command is executed, Macro download and execute either the FlawedAmmyy loader or AndroMut. 

Another campaign targeted recipients at financial institutions in Singapore, UAE, and the USA.

According to Proofpoint researchers, “AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.”

Based on the malware observation, it resolves most of the Windows API calls at run time by hash and it using two ways to decrypt the strings.

In this case, The encrypted string is base64-decoded then decrypted with AES-256 in ECB mode.

Also, AndroMut using various anti-analysis technique and persistence technique to evade detection and make the analysis process hard to experts.

Researchers also observed some low-confidence overlaps between it and two other malware downloaders: Andromeda and QtLoader.

“Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans.  The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019.”

Indicators of Compromise (IOCs)

IOC	IOC Type
hxxp://greenthumbsup[.]jp/20.06.2019_746.38.doc	URL
hxxp://fakers[.]co[.]jp/20.06.2019_130.22.doc	URL
hxxp://nagomi-753[.]jp/20.06.2019_800.77.doc	URL
hxxp://nanepashemet[.]com/20.06.2019_781.37.xls	URL
52f0aaff3654110e82586d21b07c8a3de23dc9efb3f4001daf412286282315c0	SHA256
d0aaf465a2569abbdcbafc049be1c1a643572f4ca185058833310435bfa53358	SHA256
eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275	SHA256
f21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35c	SHA256
3e3eb26211459eb2d8b52a2429a52e7e12d2145d7733823d7415663537a0b6ca	SHA256
8621fa54946096ed38aee5cbcc068c0620416a05c17328a527673e808847850d	SHA256
c4963dcf6b32459740f6a3d3b4d06d9dc06f15087ca01775956df36206543301	SHA256
a905838db6e6617edd9d25baaaaee9c209381d456e809081977e27c3e0b15793	SHA256
59af9102a921130fd1d120f6cee7fc7cdfc28292a7a4a8c24233126604aa9443	SHA256
98b584b31457b21d0d48fcc78093439638e15dd1705e54182d9aa4ffad014c3a	SHA256
bb5054f0ec4e6980f65fb9329a0b5acec1ed936053c3ef0938b5fa02a9daf7ee	SHA256
hxxp://kreewalk[.com:80/viewforum.php	URL
5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713a	SHA256

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.