Microsoft recently uncovered a new campaign with a big infection chain delivering notorious FlawedAmmyy RAT as a final payload. The attack starts with an email that contains .XLS attachments and the contents of the email is in the Korean language.

Previous campaigns that involve FlawedAmmyy RAT are carried out by TA505 threat actors, upon successful execution of backdoor let an attacker to control the machine remotely, manages the files, captures the screen.

FlawedAmmyy is a remote access Trojan (RAT) that provides attackers with full access to a victim’s machine, and which also provides capabilities required for lateral movement on the network.

The threat can steal a broad range of data from the compromised systems, including files and credentials, can collect screenshots, and can also provide attackers with access to the computer’s camera and microphone.

Previous campaigns aiming to deploy the malware have been associated with the threat actor TA505, which is best known for the distribution of the Dridex banking Trojan and the Locky ransomware.

The recently observed attack, Microsoft reveals, begins with malicious emails carrying .xls attachments with content in Korean.

Once executed, the .xls file automatically runs a macro function to execute the legitimate msiexec.exe tool (the program that interprets packages and installs products on Windows machines), which in turn downloads an MSI archive.

Inside the MSI archive, the attackers hid a digitally signed executable designed to decrypt and execute another executable in memory once it is opened.

How the Infection Occurs:

Malicious .XLS file delivered through email, when the file executed it automatically runs a macro function that runs Windows Installer msiexec.exe used for download & installing MSI and MSP packages.


This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.
One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.

The FlawedAmmy RAT functions

  • Remote Desktop control
  • File system manager
  • Proxy support
  • Audio Chat

Earlier this year TA505 distributed FlawedAmmyy RAT via weaponized MS Excel documents with malicious Excel 4.0 macro which is hard to detect by standard security controls.

Last October Cybercriminals used IQY Files to deliver FlawedAmmyy malware and executed the backdoor through PowerShell Process.

IoCs (SHA-256):

0e91e6e17f8c8e2f1ae29e13f116c8611cb7679607695eed355025295fb1999a (.xls),
19d8993c742fc1a7c651ab3dba4d8c7f5e142a8421e22dd0c20c2db2d5dccffd (MSI),
cb114123ca1c33071cf6241c3e5054a39b6f735d374491da0b33dfdaa1f7ea22 (digitally signed executable inside MSI)
c2c6f548fe6832c84c8ab45288363b78959d6dda2dd926100c5885de14c4708b (digitally signed wsus.exe),
6860de46fdea393bd48ca000ecff4047920a56728b7945f95a6ca0801c278097 (FlawedAmmyy RAT)

LEAVE A REPLY

Please enter your comment!
Please enter your name here