Experts at Microsoft uncovered a malicious campaign that delivers the FlawedAmmyy RAT directly in memory.
The FlawedAMMYY backdoor borrows the code of the
FlawedAmmyy Remote Access Trojan was involved in attacks carried out by the threat actors tracked as TA505.
Microsoft observed weaponized spam messages using .xls attachments with content in Korean. The macro included in the documents executes the legitimate msiexec.exe tool that downloads an MSI archive.
The MSI archive includes a digitally signed executable that decrypts and execute another executable in memory once it is opened.
One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.
In May, experts at Yoroi-Cybaze Z-Lab observed a spike in the number of attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group.
Earlier June, researchers at Trend Micro observed the TA505 group carrying out attacks, involving the FlawedAmmyy RAT and other RATs, against users in Latin America and Asia.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.