Microsoft: cybercrime launched a launched a malicious campaign that delivers the FlawedAmmyy RAT directly in memory. The infection chain starts with a weaponized email in Korean language
Cybercrime has launched a malicious campaign that delivers the FlawedAmmyy RAT directly in memory. It has been discovered by Microsoft cyber security experts. The malware attack, according to the researchers, starts with an email and an attachment with content in the Korean language. When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory. This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy.
The cyber security experts: The malware involved in the campaign is used bt TA505 APT, a cybercrime group focused on cyber attacks against financial institutions and retail companies with different TTPs
The malware was involved in attacks carried out by the threat actors tracked as TA505. The APT, according to Proof Point cyber security experts, is also behind many Dridex and Locky campaigns . Furthermore, Yoroi-Cybaze Z-Lab found a spike in the number of attacks against the banking sector and spotted a new email stealer used by the TA505. Finally, researchers at Trend Micro observed the group carrying out attacks, involving the FlawedAmmyy RAT and other RATs, against users in Latin America and East Asia. The APT, in fact, is a prolific cybercrime group known for its aggressions against multiple financial institutions and retail companies, using malicious spam campaigns and different malware. To reach their goal, the malicious hackers constantly update their codes and tactics, techniques, and procedures (TTPs).