Microsoft has uncovered a new attack campaign which delivers the well-known FlawedAmmyy remote access trojan (RAT). The campaign has weaponized spam emails that come with a .xls attachment and makes use of Excel macros to spread the RAT. According to Microsoft’s Security Intelligence team, the campaign employs a complex infection chain to execute FlawedAmmyy RAT directly in memory.
FlawedAmmyy, which is derived from the source code of remote desktop software, Ammyy Admin, is known to target the automotive industry and is associated with TA505’s campaigns.
The big picture
On the other hand, Security Intelligence has mentioned that the RAT could be stopped from being executed through Microsoft’s Defender application. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload,” it said in a tweet.
It is interesting to see that this malware does not target a specific vulnerability and can compromise a fully-patched Windows system. Thus, users are advised to be wary of suspicious emails written in foreign languages and make sure they do not open attachments present in them.