FlawedAmmyy Remote Access Trojan

The NJCCIC recently detected an uptick in malicious emails attempting to deliver the FlawedAmmyy remote access trojan (RAT) to State employees. FlawedAmmyy is a RAT that provides threat actors with full control over infected systems including Remote Desktop control, proxy support, audio chat, and file system manager functionalities. Emails related to recent campaigns display subject lines such as “Invoice for” followed by random digits and the date, and contain an attached Microsoft Word document titled "Invoice" with random numbers. If recipients open the attached file and enable the macros, FlawedAmmyy will download onto their machine. As emails related to this campaign have previously evaded detection by some email security gateways, organizations are encouraged to notify users of this threat and how to identify messages delivered with this campaign.

The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. If a FlawedAmmyy infection is strongly suspected but your anti-virus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.