FlawedAmmyy: A close look at the notorious activities and capabilities of the RAT

• FlawedAmmyy derives its source code from version 3 of the Ammyy Admin remote desktop software.
• The malware has been active since the beginning of 2016.

FlawedAmmyy RAT has been rated as one of the most remote access trojans in 2018. The malware, that is active since the beginning of 2016, has been observed to be used in highly targeted email attacks as well as massive cyberespionage campaigns.

According to Proofpoint, a majority of these campaigns affected the automotive industry, with many of them associated with TA505 threat actor group.

Creation of the RAT - FlawedAmmyy derives its source code from version 3 of the Ammyy Admin remote desktop software. Ammyy Admin is a popular remote access tool used by businesses and consumers to remote control and diagnostics on Microsoft Windows machines.

Although FlawedAmmyy was publicly available since 2016, the RAT came to the light in 2018. It includes several functionalities of the leaked version such as:

• Remote Desktop control;
• File system manager;
• Proxy support;
• Audio chat.

Capabilities - Upon infection, the RAT can enable potential attackers to perform a variety of malicious activities such as:

• Gaining complete access to PCs’ camera and microphone
• Captures screenshots;
• Ability to access a variety of services, steal files and credentials;
• Stealing customer data, proprietary information and more.

The FlawedAmmyy C2 protocol occurs over port 443 with HTTP.

Major instances - The notorious FlawedAmmyy RAT is delivered to the target via phishing emails. Some of the known attack campaigns where the RAT was distributed via phishing emails include:

• The widespread ‘Pied Piper phishing campaign’ in December 2018. The campaign was used against multiple targets. Attackers were found using weaponized .pub (Microsoft Publisher) documents to spread the RAT.
• The massive attack campaigns on March 5 and 6, 2018. The message in these campaigns contained zipped .url attachments which were used to deliver the RAT. The emails were sent with subjects such as ‘Receipt No 1234567’ to match with the number of the attached zip file.
• The targeted attack on March 1, 2018 - Phishing emails containing an attachment 0103_022.doc was used to deliver the malware. The attached doc included macros which when opened, downloaded the FlawedAmmyy directly.
• In January, 2018, the RAT was used against the automotive industry. Here, the phishing emails contained an attachment which read ‘16.01.2018.doc’. Once the doc was opened, it unleashed the malicious macros onto a victim’s machine.

Experts believe that attackers will continue to use FlawedAmmyy’s activeness to target more and more enterprises in the future.