FlawedAmmyy Remote Access Trojan Distributed via Phishing Emails Taking Control of Computer

FlawedAmmyy Remote Access Trojan

Every now and then hackers come up with a new way to infect the PCs. In a recent report, it has been revealed that hackers are spreading RAT (remote access trojan) named as FlawedAmmyy via emails to take complete control over your PC remotely.

What’s more shocking is that this trojan FlawedAmmyy is made on the leaked source code of a genuine software, i.e. Ammy Admin remote desktop software version 3. For the users who do not much about Ammy Admin, it is one of the popular software that is used to provide remote support by many individuals and companies to their clients. However, leaked code of this genuine software is transformed into a trojan to take the complete access of the infected PC remotely. All this means that if a PC is infected by FlawedAmmy trojan then all its data including confidential files or saved credentials, can be compromised.

As per researchers from Proofpoint the trojan is distributed via phishing emails sent, that are sent in bulk to various users along with narrow attacks that mainly targeted automotive industry. The researchers also revealed that the group of attackers behind this trojan is TA505, an organization that is involved in malicious activities and many large-scale attacks since the year 2014.

Also Read: Hide and Seek: New Botnet Threat

How is FlawedAmmyy RAT Distributed?

As per the researchers from Proofpoint FlawedAmmyy appeared most recently as the payload in massive email campaigns on March 5 and 6, 2018. An email is sent to the users with a zipped URL attachment by spoofing the sender’s address. To add more authenticity in the emails the subject is used as either bills or invoices.

FlawedAmmyy RAT Distributed

ImgSrc: Proofpoint

The attachment with the email contains .url that redirects the user to a website by automatically opening the default web browser of his PC.

But the attackers instead redirect that URL to “http:// link:” redirects it to ‘file://’. All this results in downloading and executing a JavaScript file over the SMB protocol rather than opening the web browser if the user clicks on Open.

FlawedAmmyy RAT Distributed.

ImgSrc: Proofpoint

As per Proofpoint researchers this JavaScript in turn downloads Quant Loader, which, in this case, fetched the FlawedAmmyy RAT as the final payload. The use of “.url” files and SMB protocol downloads is unusual, and this is the first time we have seen these methods combined.

Also Read:  All You Can Know About Zero Day Exploit And Vulnerabilities

How to Protect Yourself from FlawedAmmyy Remote Access Trojan?

To protect himself, user does not need to be security expert or a tech geek all he needs to be a bit aware. Whenever you receive the emails with an attachment from unknown senders never click or download those attachments.

Also, the security warnings if you receive any while opening these attachments should not be overlooked. Moreover, if the publisher of a file is unknown or the one you do not recognize then it is better to avoid opening that file.