FlawedAmmyy is a remote access trojan (RAT) that has been deployed since at least the beginning of 2016. Threat actors have used this trojan in both highly targeted and large, indiscriminate campaigns. According to Proofpoint analysts, the targeted campaigns have affected the automotive industry, while the large campaigns are associated with the TA505 threat actor associated many other significant spam campaigns. FlawedAmmy was most recently deployed in malicious email campaigns on March 5 and 6, 2018.

FlawedAmmyy was created via source code for version 3 of the Ammyy Admin remote desktop software. The RAT provides the attacker with the following functionality: Remote Desktop control, file system manager, proxy support, and audio chat. The FlawedAmmyy C2 protocol occurs over port 443 with HTTP. Those infected with the FlawedAmmyy RAT have provided the threat actors with full control over their systems.

In the March 5 campaign, threat actors spoofed the domains of the sent addresses to be the same as the recipients' email domain. The subjects of the emails were related to supposed receipts, bills, or invoices. The attachment names matched that of the email subject. The .url attachment file are interpreted by Microsoft Windows as "Internet Shortcut" files. The threat actor specifies the URL to be a file:// network share as opposed to a http:// link. When the user attempts to open the attachment, they receive a security warning popup. If the user clicks "open," the system downloads and executes the JavaScript file over the SMB protocol instead of launching a web browser. The JavaScript then downloads the Quant Loader, which then downloads the FlawedAmmyy RAT.

In the previous March 1 campaign, threat actors targeted a small number of users. The malicious emails delivered contained an attachment named 0103_022[.]doc that, if opened, would download the FlawedAmmyy RAT if macros were enabled. A January 16 campaign was very similar in its distribution method, however the targets were users in the automotive industry and the attachments were named 16.01.2018[.]doc.

Technical Details

  • Proofpoint provides additional technical details on FlawedAmmyy here.