FlawedAmmyy

FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 January, 2016
  • Last seen
    4 November, 2019
Global rank
25
Week rank
25
Month rank
27
IOCs
62

General description of FlawedAmmyy

FlawedAmmyy has been used by multiple attackers in massive email-spam campaigns as well as in highly targeted cyber attacks aimed at businesses in the automotive industry. Among others, a well known hacker operating under the alias TA505 is known to have been using this malware in large scale campaigns.

Being built using leaked source code of the third version of Ammyy Admin – which is legitimate remote access and administration program – FlawedAmmyy enables attackers to perform multiple actions on infected Windows PCs. With this malware, hackers can control the desktop remotely, manipulate files, steal credentials and access audio on an infected machine to potentially collect information about their victims.

The popularity of FlawedAmmyy started rising especially quickly in 2018, as the focus of malicious actors started shifting from operating ransomware to other types of malicious programs. In particular, in November of 2018 a threat actor known as TA505 started distributing various loader viruses in their spam email campaigns – using ServHelper at first and later switching to AndroMut – with the end goal of infecting victims with FlawedAmmyy.

In particular, researchers have detected two separate campaigns that distributed FlawedAmmyy using AndroMut loader – the first campaign targeted victims in South Korea with HTML attachments designed to download an Office file with malicious macros which installed a loader which would in turn, drop the main payload – FlawedAmmyy RAT. The scope of other campaigns featuring AndroMut was more broad and included enterprises in the USA, UAE, and Singapore.

Other campaigns not necessarily by TA505 that took place in 2019 made use of an XLM document that contained a malicious macro which downloaded FlawedAmmyy directly, bypassing the loader stage.

Interactive analysis of FlawedAmmyy

A video recorded in the ANY.RUN malware hunting service displays the execution process of FlawedAmmyy, allowing to examine it in a convenient and safe environment.

flawedammyy execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the flawedammyy analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

FlawedAmmyy Execution process

Usually, FlawedAmmyy makes its way into the machine through mail spam in a form of a MS Word or MS Excel document with malicious macro. Examples of such malicious docs you can find on ANY.RUN's public submissions browsing by tag maldoc-21. After malicious .xls file is opened, it automatically runs a macro function that runs either msiexec.exe or cmd.exe to download and execute the first stage payload. This first stage executable file then downloads and decrypts another file, which usually has a filename "wsus.exe" and it is the FlawedAmmyy malware itself. Wsus.exe creates persistence in the system and communicates with C2 servers.

Sometimes malicious executable files are digitally signed with a certificate from trusted vendors. Also it's interesting that trojan checks the user privileges and presence of Anti-Virus programs on the infected machine and changes behavior based on results of this check.

Distribution of FlawedAmmyy

FlawedAmmyy is distributed with spam email campaigns with subjects usually concerning invoices or receipts. Emails can contain a .zip attachment disguised to contain information related to the email subject, a Microsoft Office file or an XML attachment. Attached files, in reality, can hold a URL which automatically opens a browser window and redirects victims to a website from where malware samples would be downloaded.

In some campaigns, another virus designed to install the final payload is downloaded first and it then drops FlawedAmmyy onto the machine. Other campaigns made use of something called the Server Message Block (SMB) protocol to download malware directly, bypassing the browser download which is quite a rare trick for malware.

How to prevent FlawedAmmyy attacks

Once FlawedAmmyy infects a PC, it can operate discreetly without letting users know that their machine is in fact infected. This allows attackers to collect various information about their victims overtime and makes this malware potentially very destructive.

However, adhering to simple online safety tips can make avoiding the infection fairly easy – as long as a user never clicks on suspicious links or downloads emails from unknown senders they will be safe. However, things get a little bit more complicated with FlawedAmmyy since some of the attacks are very targeted and feature believable emails.

Therefore users are advised to conduct their own checks about email authenticity and pay attention to small details before downloading files or following URLs in their correspondence.

How to export data from the analysis of FlawedAmmyy malware using ANY.RUN?

Analysts can export all significant events from a task to MISP for further analysis and export to IDS/SIEM systems or simply for share. Just click on the "Export" button and choose "MIST JSON format" in the drop-down menu.

export events from task with flawedammy into MISP JSON Figure 3: Export events from task with flawedammy into MISP JSON

Summary

FlawedAmmyy is an interesting malware which is capable of operating stealthily on infected machines and causing potentially serious damage with its remote access capabilities. It was featured both in massive, large-scale email spam campaigns as well as in targeted attacks against businesses operating in particular industries which indicates the diversity that operators behind this malware can show in regard to choosing their victims.

Security researchers only documented this malware in 2018 despite its being around since 2016, which means that it managed to operate in the dark for two whole years, evading researchers or maybe even tricking them. Thankfully, modern malware analysis services like ANY.RUN provides multiple specially designed tools to simplify and greatly streamline the research process to help us identify current and future threats.

IOCs

IP addresses
136.243.104.242
185.99.132.12
45.227.252.54
185.99.132.119
136.243.104.235
185.99.133.140
209.239.123.75
169.239.129.54
169.239.128.15
169.239.128.29
179.60.146.3
95.211.242.84
160.119.253.219
45.84.0.82
169.239.129.45
169.239.128.36
91.201.65.181
185.117.89.145
169.239.128.186
169.239.129.104
Hashes
5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54
cf7eee990787854cfc70be82d392fff5cf65d750e46650a9b18fb81c7924603f
1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
199e9f5ee069789055bef116a4eb4649d6d2a6c2922e55bc3558f585f89798a7
8baeed8d30b9bfbff3adda3496df1552ab4bed3a7092cb7b56543f9b844b0353
8655fb0ba3e61b2285ec50145cb5f863c6af92482a6c939d63d62b9b1112c921
8d4761a4a43813a529bcda234d1c0c147f6d855ee3520b4934abdc5d42d3ed48
ee272df32b119afcfe09ef624d067440deff982563b8d04b92790a59ad561eb8
7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81
4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
44714196518f67a0dcc504ae3d9d89fce2186509de37f9e859e04f4c1fe7548b
e401d2fe7f2c38209eaac8652044006db40171c504cd035943417bd82ab08a3d
2b8d1c99f8a142009066d4de303c812e1954e3d5682afb9c7ad308b2220892b1
080778c962f08179c0bf80303d8c2d755a7007f4d985302e8055872474015dfe
eb23d5d8e34e385baa5154b88620ed4ba48c96d2aef6595f4a6c92b043d75eca
deb909a02904b4311daae20dc5a1569bd11f4ed05456e4e4477ba6740a412e95
d7e8d1506e3f34a8afccd70b32764cd22ebdaae0ba8b764d5851f017d4d5941c
cd18bb2d63cf5a9509fe1c3d1d8f634bce0c51b5f7c0153372668f90c21b3ac5
Domains
isns.net
majul.com
hhihkonline.ooo

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More