Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/12/2018
03:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

FlawedAmmyy RAT Campaign Puts New Spin on Old Threat

A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.

A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.

Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.

The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isn't the first time Ammyy Admin has been abused; a July 2016 attack also used it to conceal malware.

FlawedAmmy has the same functionality as the software's leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.

Messages in the early March campaigns were sent from addresses spoofing the recipients' domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be "file://" network shares instead of "http://" links. Because of this, when the user clicks "Open," the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.

The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload. Researchers say this is the first time they've ever seen the combination of .url files and SMB protocol downloads. "That which is old is new again," says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.

Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesn't look like a link, and using that to obtain a file over SMB instead of http, is an "intricate and new approach" to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.

Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.

"The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware," he continues. "When you're not getting paid as much, you seek other sources of revenue."

Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.

"We see more mechanisms like this, with effectively intricate social engineering," he explains. "None of the FlawedAmmyy attacks work without a human taking action." Further, unless they remember opening the malicious email and clicking the link, there's virtually nothing a user would see that would give the Trojan away once it's on the target machines.

For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people don't think twice about opening documents disguised as bills or invoices, which these often are. If you weren't expecting it, think twice about opening it.

"'Enable' is a dangerous word," Epstein notes. "No bill or invoice you're receiving should require you to enable anything."

The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. "Think like a business and put yourself in the shoes of the attacker," says Epstein. "The best defense is anything that increases their cost of doing business."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tryingtoo
50%
50%
tryingtoo,
User Rank: Apprentice
9/25/2018 | 12:11:24 PM
Remote access attacks

Weird sounds can mean there is someone monitoring your calls. You might have an undetectable spyware installed on your device with no other purpose but to steal all your information and most likely destroy the tapped device sometimes. You can always check for malware and other malicious programs that can cost you your money, credit card details and other information. 

jproske
100%
0%
jproske,
User Rank: Apprentice
3/13/2018 | 1:28:03 PM
SMB-Protocol via Internetfirewall
Call me an old-fashioned guy, but in the past the SMB Protocol was blocked at every Firewall to the Internet at first and as Standard. How is it possible to load a File from the Internet with the SMB Protocol these days? Did I miss something mentioned in the article?
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...