FlawedAmmyy is a remote access trojan (RAT) that has been deployed since at least the beginning of 2016. Threat actors have used this trojan in both highly targeted and large, indiscriminate campaigns. According to Proofpoint analysts, the targeted campaigns have affected the automotive industry, while the large campaigns are associated with the TA505 threat actor associated many other significant spam campaigns. FlawedAmmy was most recently deployed in malicious email campaigns on March 5 and 6, 2018.
FlawedAmmyy was created via source code for version 3 of the Ammyy Admin remote desktop software. The RAT provides the attacker with the following functionality: Remote Desktop control, file system manager, proxy support, and audio chat. The FlawedAmmyy C2 protocol occurs over port 443 with HTTP. Those infected with the FlawedAmmyy RAT have provided the threat actors with full control over their systems.
In the previous March 1 campaign, threat actors targeted a small number of users. The malicious emails delivered contained an attachment named 0103_022[.]doc that, if opened, would download the FlawedAmmyy RAT if macros were enabled. A January 16 campaign was very similar in its distribution method, however the targets were users in the automotive industry and the attachments were named 16.01.2018[.]doc.
- Proofpoint provides additional technical details on FlawedAmmyy here.