After a server response (0x2d00), the infected client sends the second packet. In the initial handshake, sent by the client to the server, the first byte is always “=”, followed by 35 obfuscated and SEAL-encrypted bytes. The FlawedAmmyy C&C protocol occurs over port 443 with HTTP. As such FlawedAmmyy contains the functionality of the leaked version, including:įigure 5: Strings from the analyzed January 16 sample contain references to the leaked Ammyy Admin Version 3įigure 6: Snippet of Ammyy Admin Version 3 source code, file TrMain.cpp doc which used macros to download the FlawedAmmyy RAT directly.įlawedAmmyy is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. We also observed this RAT in a narrowly targeted attack that included the automotive industry. This sample used the same command and control (C&C) address as the sample from the massive campaign on March 5.įigure 4: Screenshot of the document attachment from March 1, 2018, FlawedAmmyy campaign Emails contained an attachment 0103_022.doc (Figure 4), which used macros to download the FlawedAmmyy malware directly. The FlawedAmmyy RAT previously appeared on March 1 in a narrowly targeted attack. The use of “.url” files and SMB protocol downloads is unusual, and this is the first time we have seen these methods combined. This JavaScript in turn downloads Quant Loader, which, in this case, fetched the FlawedAmmyy RAT as the final payload. As a result, the system downloads and executes a JavaScript file over the SMB protocol rather than launching a web browser if the user clicks “Open” on the warning dialog shown in Figure 3.įigure 3: Warning dialog displayed after double-clicking the. However, in this case the attacker specified the URL to be a “file://” network share instead of the typical link. This type of file can be created manually they are intended to serve as links to internet sites, launching the default browser automatically. url files are interpreted by Microsoft Windows as “Internet Shortcut” files, examples of which can be found in the “Favorites” folder on Windows operating systems. Again, these were apparently random digits (Figure 1).įigure 1: Sample email from March 5, 2018, Ammyy Admin malware campaign The attachments were ZIP archives containing ".url" files with names such as "B123456789012.url". url attachments and both the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.įor example, on March 5, the messages were sent from addresses spoofing the recipient’s own domain with subjects such as “Receipt No 1234567” (random digits, and first word could also be “Bill” or “Invoice”) and matching attachments "Receipt 1234567.zip". The messages in these campaigns contained zipped. Narrow attacks targeted the Automotive industry among others, while the large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks since at least 2014.įlawedAmmyy Admin appeared most recently as the payload in massive email campaigns on March 5 and 6, 2018. It is necessary to have the client installed and active on both computers to be able to establish a connection.Proofpoint researchers have discovered a previously undocumented remote access Trojan (RAT) called FlawedAmmyy that has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns.This program is free for private use only. Includes an address book where the user will be able to input the ID or IP of the computers that are connected.Īmmyy Admin can be used for many different options, such as working remotely, offering technical assistance or for online presentations, to name only some of its possibilities.ĭownload Ammyy Amin for free, it's the easiest way to control a computer remotely.Activate the 'view' option, that allows you to view a computer remotely without interacting with it.Establish the maximum speed of the remote desktop.The function of Ammyy Admin is double, because it acts at the same time as a remote control client that provides access to a computer, offering the IP and ID data of the device, as well as a server to open a window to access a remote computer.Īmong the most noteworthy features of Ammyy Admin you will find: There are many applications to activate the remote control of a computer, but very few of them are as easy to control and use as Ammyy Admin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |