TA505 Begins Summer Campaigns with A New Pet Malware Downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States (Jul 2, 2019)
The financially-motivated threat group, “TA505,” has added a new downloader, called “AndroMut,” to their arsenal of malware and tools, according to Proofpoint researchers. Researchers note they have seen AndroMut referred to as another TA505 Remote Access Trojan (RAT) called “FlawedAmmyy,” which is based off the leaked source code of the legitimate remote access tool, “Ammyy.” Andromut is being distributed by TA505 via emails with macro-embedded attachments to recipients located in Singapore, South Korea, the UAE, and the US. Enabling the macro results in AndroMut being downloaded that is then used to download the FlawedAmmyy RAT for additional access to conduct malicious activity.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.