Endpoint

3/12/2018
03:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

FlawedAmmyy RAT Campaign Puts New Spin on Old Threat

A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.

A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.

Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.

The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isn't the first time Ammyy Admin has been abused; a July 2016 attack also used it to conceal malware.

FlawedAmmy has the same functionality as the software's leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.

Messages in the early March campaigns were sent from addresses spoofing the recipients' domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be "file://" network shares instead of "http://" links. Because of this, when the user clicks "Open," the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.

The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload. Researchers say this is the first time they've ever seen the combination of .url files and SMB protocol downloads. "That which is old is new again," says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.

Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesn't look like a link, and using that to obtain a file over SMB instead of http, is an "intricate and new approach" to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.

Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.

"The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware," he continues. "When you're not getting paid as much, you seek other sources of revenue."

Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.

"We see more mechanisms like this, with effectively intricate social engineering," he explains. "None of the FlawedAmmyy attacks work without a human taking action." Further, unless they remember opening the malicious email and clicking the link, there's virtually nothing a user would see that would give the Trojan away once it's on the target machines.

For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people don't think twice about opening documents disguised as bills or invoices, which these often are. If you weren't expecting it, think twice about opening it.

"'Enable' is a dangerous word," Epstein notes. "No bill or invoice you're receiving should require you to enable anything."

The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. "Think like a business and put yourself in the shoes of the attacker," says Epstein. "The best defense is anything that increases their cost of doing business."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tryingtoo
50%
50%
tryingtoo,
User Rank: Apprentice
9/25/2018 | 12:11:24 PM
Remote access attacks

Weird sounds can mean there is someone monitoring your calls. You might have an undetectable spyware installed on your device with no other purpose but to steal all your information and most likely destroy the tapped device sometimes. You can always check for malware and other malicious programs that can cost you your money, credit card details and other information. 

jproske
100%
0%
jproske,
User Rank: Apprentice
3/13/2018 | 1:28:03 PM
SMB-Protocol via Internetfirewall
Call me an old-fashioned guy, but in the past the SMB Protocol was blocked at every Firewall to the Internet at first and as Standard. How is it possible to load a File from the Internet with the SMB Protocol these days? Did I miss something mentioned in the article?
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16850
PUBLISHED: 2018-11-13
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
CVE-2018-17187
PUBLISHED: 2018-11-13
The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options...
CVE-2018-1792
PUBLISHED: 2018-11-13
IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947.
CVE-2018-1808
PUBLISHED: 2018-11-13
IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828.
CVE-2018-15452
PUBLISHED: 2018-11-13
A vulnerability in the DLL loading component of Cisco Advanced Malware Protection (AMP) for Endpoints on Windows could allow an authenticated, local attacker to disable system scanning services or take other actions to prevent detection of unauthorized intrusions. To exploit this vulnerability, the ...