Microsoft Warns of Campaign Dropping FlawedAmmyy RAT in Memory (Jun 21, 2019)
Microsoft have issued a warning about an active campaign targeting South Koreans with FlawedAmmyy Remote Access Trojan (RAT). FlawedAmmyy is a RAT, used frequently by threat group TA505 within spam campaigns. Using a spam email, the actors try to convince users to open an excel file that runs a Macrosoft function along with an executable in memory. This executable downloads another malware straight into the computer’s memory. The vulnerability, registered as CVE-2917-11882, was previously patched two years ago, however unpatched systems are still being targeted by threat actors.
Recommendation: The security update should be applied as soon as possible, due to the potential for an actor to get complete control of your system. Files that request content be enabled are a sign of a phishing attack. Ensure the sender is known and trusted and can verify the authenticity of an attachment prior to opening it. Any file attachment sent by unknown senders should be viewed with the utmost scrutiny and the attachments should be avoided.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.