Microsoft Warns of Campaign Dropping Flawedammyy Rat in Memory

Microsoft issued a warning about an active spam campaign that tries to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.

The Microsoft Security Intelligence Twitter account explained in a thread that a currently active campaign "employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory."

Attacks will start after the victims open the attached .xls file that "automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory."

Spam email
Spam email

The executable will proceed to download and decrypt yet another malware payload named wsus.exe and digitally signed on June 19. This is the dropper which will decrypt and launch the attack's final malicious payload directly into the compromised computer's memory.

As discovered by Microsoft Security Intelligence, the payload is the FlawedAmmyy remote access Trojan, one of the favorite tools of a cybercriminal group named TA505 by Proofpoint which started dropping as part of spam campaigns targeting retailers and financial institutions. [1, 2, 3]

Just a week ago, Trend Micro's threat analysts detected a similar campaign to the one just observed by Microsoft, delivering the FlawedAmmyy  RAT via malicious .XLS attachments and targeting South Korean users, and attributed to the TA505 group.

Malicious XLS document
Malicious XLS document

Security researcher Vitali Kremez tweeted about several FlawedAmmyy samples delivered via other spam campaigns, digitally signed using code signing certificates from Thawte [1, 2].

Microsoft Security Intelligence issued another warning on June 7 about a malspam campaign delivering RTF attachments designed to exploit the Microsoft Office and Wordpad CVE-2017-11882 vulnerability.

While the CVE-2017-11882 vulnerability was patched by Microsoft two years ago, Redmond's security researchers state that the exploit is still actively being used in attacks, with "increased activity in the past few weeks."

Microsoft provides a full list of indicators of compromise (IOCs) including hashes of the digitally signed executables used in the campaign and of the FlawedAmmyy RAT HERE and HERE.

Related Articles:

Firebird RAT creator and seller arrested in the U.S. and Australia

New Bifrost malware for Linux mimics VMware domain for evasion

Microsoft fixes two Windows zero-days exploited in malware attacks

Visa warns of new JSOutProx malware variant targeting financial orgs

DinodasRAT malware targets Linux servers in espionage campaign