Endpoint

3/12/2018
03:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

FlawedAmmyy RAT Campaign Puts New Spin on Old Threat

A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.

A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.

Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.

The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isn't the first time Ammyy Admin has been abused; a July 2016 attack also used it to conceal malware.

FlawedAmmy has the same functionality as the software's leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.

Messages in the early March campaigns were sent from addresses spoofing the recipients' domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be "file://" network shares instead of "http://" links. Because of this, when the user clicks "Open," the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.

The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload. Researchers say this is the first time they've ever seen the combination of .url files and SMB protocol downloads. "That which is old is new again," says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.

Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesn't look like a link, and using that to obtain a file over SMB instead of http, is an "intricate and new approach" to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.

Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.

"The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware," he continues. "When you're not getting paid as much, you seek other sources of revenue."

Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.

"We see more mechanisms like this, with effectively intricate social engineering," he explains. "None of the FlawedAmmyy attacks work without a human taking action." Further, unless they remember opening the malicious email and clicking the link, there's virtually nothing a user would see that would give the Trojan away once it's on the target machines.

For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people don't think twice about opening documents disguised as bills or invoices, which these often are. If you weren't expecting it, think twice about opening it.

"'Enable' is a dangerous word," Epstein notes. "No bill or invoice you're receiving should require you to enable anything."

The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. "Think like a business and put yourself in the shoes of the attacker," says Epstein. "The best defense is anything that increases their cost of doing business."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jproske
100%
0%
jproske,
User Rank: Apprentice
3/13/2018 | 1:28:03 PM
SMB-Protocol via Internetfirewall
Call me an old-fashioned guy, but in the past the SMB Protocol was blocked at every Firewall to the Internet at first and as Standard. How is it possible to load a File from the Internet with the SMB Protocol these days? Did I miss something mentioned in the article?
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.