Video: Gozi banking trojan employs botnet for maximum damage
Hackers are distributing a newly discovered form of trojan malware that offers full access to infected Windows PCs.
Dubbed FlawedAmmyy, the malware is built on top of leaked source code for a legitimate app, Version 3 of Ammyy Admin remote desktop software, and enables attackers to secretly snoop on those duped into installing it.
The RAT (remote access trojan) is capable of complete remote desktop control, providing hackers with full access to the system and the opportunity to steal files, credentials, and more. The malware also has the potential to abuse audio chat.
While those behind FlawedAmmyy attempt to deliver it in bulk using massive phishing campaigns, they're also engaging in narrower campaigns targeting specific sectors, with attacks focused on the automotive industry, among others. This campaign to infect PCs with FlawedAmmyy was active just days ago.
Previously undocumented, FlawedAmmyy was first uncovered by researchers at Proofpoint, who said the group behind it has been actively deploying the trojan since January 2016.
The organisation behind the attacks is thought to be TA505, a prolific hacking group that has been active since 2014, and has previously targeted victims using the Dridex banking trojan, Locky ransomware, Jaff ransomware, and more, in wide-ranging campaigns.
Delivery methods for FlawedAmmyy are similar to those schemes, with messages sent out with subjects relating to receipts, bills, and invoices, and an email attachment in form of a .ZIP file purporting to be related to a transaction.
The ZIP file contains .url files which are designed to serve as links to websites and automatically launch a web browser.
"We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more," said researchers at Proofpoint.
The trojan doesn't provide victims with any major flags their computer has been infected. In order to avoid infection, users should avoid clicking on unexpected and strange links -- especially from unknown senders.
"As always, users should not open attachments from senders they do not know and should be cognisant of security warnings when opening files. Layered defences at the email gateway, IDS, and endpoint can all provide important protection for threats of this nature," the researchers said.
ZDNet has attempted to contact the makers of Ammyy Admin about hackers use of the leaked code, but no response has been received at the time of writing.
Recent and related coverage
Researchers found the Loapi caused enough drain on a smartphone battery it swelled up.
Botnet distribution added to attacks which are crafted to hijack email threads - by attackers who are now experimenting with also delivering cryptocurrency mining malware.
Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.
READ MORE ON CYBERCRIME
- Chafer: Hacking group expands espionage operation with new attacks
- Cybercrime hurting businesses to tune of $600 billion [CNET]
- Dridex banking Trojan compromises FTP sites in new campaign
- How Trojans steal credentials and attack cloud services [TechRepublic]
- Microsoft: Help us kill off two banking trojans that learned from WannaCry