Microsoft warns users of malicious campaign that drops FlawedAmmyy RAT

• The tech giant came across weaponized spam emails written in Korean, that executes this remote access Trojan directly in memory.
• FlawedAmmyy is known to target organizations in the automotive industry and is associated with campaigns by threat actor TA505.

Microsoft has uncovered a new attack campaign which delivers the well-known FlawedAmmyy remote access trojan (RAT). The campaign has weaponized spam emails that come with a .xls attachment and makes use of Excel macros to spread the RAT. According to Microsoft’s Security Intelligence team, the campaign employs a complex infection chain to execute FlawedAmmyy RAT directly in memory.

FlawedAmmyy, which is derived from the source code of remote desktop software, Ammyy Admin, is known to target the automotive industry and is associated with TA505’s campaigns.

The big picture

• In a series of tweets, Microsoft’s Security Intelligence highlights spam emails that were written in Korean and had malicious .xls attachments.
• This .xls file after opening automatically runs a macro function that executes msiexec.exe. This process downloads an MSI archive which executes a series of executable files.
• FlawedAmmyy RAT is the final executable file in this series and is directly ran in memory.

Mitigation measures

On the other hand, Security Intelligence has mentioned that the RAT could be stopped from being executed through Microsoft’s Defender application. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload,” it said in a tweet.

It is interesting to see that this malware does not target a specific vulnerability and can compromise a fully-patched Windows system. Thus, users are advised to be wary of suspicious emails written in foreign languages and make sure they do not open attachments present in them.