03:55 PM
Connect Directly

FlawedAmmyy RAT Campaign Puts New Spin on Old Threat

A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.

A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.

Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.

The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isn't the first time Ammyy Admin has been abused; a July 2016 attack also used it to conceal malware.

FlawedAmmy has the same functionality as the software's leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.

Messages in the early March campaigns were sent from addresses spoofing the recipients' domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be "file://" network shares instead of "http://" links. Because of this, when the user clicks "Open," the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.

The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload. Researchers say this is the first time they've ever seen the combination of .url files and SMB protocol downloads. "That which is old is new again," says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.

Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesn't look like a link, and using that to obtain a file over SMB instead of http, is an "intricate and new approach" to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.

Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.

"The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware," he continues. "When you're not getting paid as much, you seek other sources of revenue."

Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.

"We see more mechanisms like this, with effectively intricate social engineering," he explains. "None of the FlawedAmmyy attacks work without a human taking action." Further, unless they remember opening the malicious email and clicking the link, there's virtually nothing a user would see that would give the Trojan away once it's on the target machines.

For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people don't think twice about opening documents disguised as bills or invoices, which these often are. If you weren't expecting it, think twice about opening it.

"'Enable' is a dangerous word," Epstein notes. "No bill or invoice you're receiving should require you to enable anything."

The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. "Think like a business and put yourself in the shoes of the attacker," says Epstein. "The best defense is anything that increases their cost of doing business."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
3/13/2018 | 1:28:03 PM
SMB-Protocol via Internetfirewall
Call me an old-fashioned guy, but in the past the SMB Protocol was blocked at every Firewall to the Internet at first and as Standard. How is it possible to load a File from the Internet with the SMB Protocol these days? Did I miss something mentioned in the article?
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.