This new trojan malware uses leaked source code of legit software to snoop on you

The FlawedAmmyy campaign is thought to be the work of a prolific hacking group that has been distributing the malware using phishing emails.
Written by Danny Palmer, Senior Writer

Video: Gozi banking trojan employs botnet for maximum damage

Hackers are distributing a newly discovered form of trojan malware that offers full access to infected Windows PCs.

Dubbed FlawedAmmyy, the malware is built on top of leaked source code for a legitimate app, Version 3 of Ammyy Admin remote desktop software, and enables attackers to secretly snoop on those duped into installing it.

The RAT (remote access trojan) is capable of complete remote desktop control, providing hackers with full access to the system and the opportunity to steal files, credentials, and more. The malware also has the potential to abuse audio chat.

While those behind FlawedAmmyy attempt to deliver it in bulk using massive phishing campaigns, they're also engaging in narrower campaigns targeting specific sectors, with attacks focused on the automotive industry, among others. This campaign to infect PCs with FlawedAmmyy was active just days ago.

Previously undocumented, FlawedAmmyy was first uncovered by researchers at Proofpoint, who said the group behind it has been actively deploying the trojan since January 2016.

The organisation behind the attacks is thought to be TA505, a prolific hacking group that has been active since 2014, and has previously targeted victims using the Dridex banking trojan, Locky ransomware, Jaff ransomware, and more, in wide-ranging campaigns.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Delivery methods for FlawedAmmyy are similar to those schemes, with messages sent out with subjects relating to receipts, bills, and invoices, and an email attachment in form of a .ZIP file purporting to be related to a transaction.


A phishing email used to distribute the malware.

Image: Proofpoint

The ZIP file contains .url files which are designed to serve as links to websites and automatically launch a web browser.

In this case, the files are used to connect to a 'file://' instead of a 'http://' link, meaning that if the victim opens the attachment, the system downloads and executes JavaScript over the Server Message Block (SMB) protocol instead of the browser.

Researchers say this is the first instance of these two elements being combined to infect systems with malware. Once the SMB protocol has been called, the JavaScript downloads Quant Loader, which in turn fetches the final payload and installs FlawedAmmyy on the infected PC.

"We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more," said researchers at Proofpoint.

The trojan doesn't provide victims with any major flags their computer has been infected. In order to avoid infection, users should avoid clicking on unexpected and strange links -- especially from unknown senders.

"As always, users should not open attachments from senders they do not know and should be cognisant of security warnings when opening files. Layered defences at the email gateway, IDS, and endpoint can all provide important protection for threats of this nature," the researchers said.

ZDNet has attempted to contact the makers of Ammyy Admin about hackers use of the leaked code, but no response has been received at the time of writing.

Recent and related coverage

The cryptocurrency mining trojan that can hurt your wallet - and your phone's battery

Researchers found the Loapi caused enough drain on a smartphone battery it swelled up.

Banking trojan turns to 'Dark Cloud' botnet to spread malware further

Botnet distribution added to attacks which are crafted to hijack email threads - by attackers who are now experimenting with also delivering cryptocurrency mining malware.

CoreBot banking trojan malware returns after two-year break

Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.


Editorial standards