A previously undocumented remote access Trojan (RAT) called FlawedAmmyy has been discovered as the payload in two massive email campaigns this week.
Proofpoint researchers discovered that the RAT has actually been used since the beginning of 2016 in both highly targeted email attacks and massive, multi-million message campaigns. Narrow attacks targeted the automotive industry, among others, while the large, malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks using Dridex, Locky and GlobeImposter, among others, over the last four years.
In the most recent campaigns, on March 5 and 6, email messages containing zipped URL attachments were sent from addresses spoofing the recipient’s own domain, with subjects such as “Receipt No” with random digits following, with matching attachments.
The URL files are interpreted by Microsoft Windows as internet shortcut files, but when clicked, they download and execute a JavaScript file over the Server Message Block (SMB) protocol; the JavaScript file in turn downloads Quant Loader and then FlawedAmmyy RAT as the final payload.
The FlawedAmmyy RAT also appeared on March 1 in a narrowly targeted attack.
It is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.
“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more,” Proofpoint researchers said in a blog. “We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.”