This remote access trojan just popped up on malware's most wanted list

FlawedAmmyy RAT is a potent family of malware giving hackers full remote access to PCs.
Written by Danny Palmer, Senior Writer

While cryptomining malware currently reigns supreme as the most prolific form of malicious software distributed by cyber criminals, a remote access trojan has entered the top ten most prolific malware threats for the first time -- and it's a particularly dangerous family.

Threat intelligence researchers at Check Point Software have tracked and published the top ten most prominent malware threats detected by its global network of sensors since late-2015, with ransomware, worms and cryptocurrency miners regularly featured in the 'most wanted' malware over the last two years.

But for the first time ever, October saw the FlawedAmmyy RAT scrape into the top ten most detected malware threats in tenth place -- making it the first remote access trojan to make the list.

Built on top of the source code of leaked Ammyy Admin remote desktop software, FlawedAmmyy first appeared near the beginning of the year and provides attackers with extensive access to the PCs of infected victims.

As it's based on legitimate remote access software, FlawedAmmyy allows its criminal users to gain a backdoor on the targeted system and the opportunity to steal files, credentials, and more. It can also be used to take screenshots and even listen in on audio and video recorded around the victim.

The malware has been used in targeted attacks, as well as mass spam campaigns, with the Necurs botnet recently observed spreading FlawedAmmyy via malicious attachments in phishing emails: it demonstrates how data is still a key asset for cyber criminals, despite the rise of other cyber criminal operations.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

"While we have detected several campaigns distributing the FlawedAmmyy RAT in recent months, the latest campaign was easily the largest in terms of its widespread impact," said Maya Horowitz, threat intelligence group manager at Check Point.

"While cryptominers remain the dominant threat, this may indicate that data such as login credentials, sensitive files, banking and payment information haven't lost their lucrative appeal to cybercriminals," she added.

While FlawedAmmyy sits in tenth place, cryptominers make up almost half of the top ten malware threats detected during October, with Coinhive cryptojacker the most prolific malware of the period and Cryptoloot in second place.

Both forms of mining malware secretly exploit processing power to mine cryptocurrency for the distributor. Researchers note that Cryptoloot -- which has risen up the rankings to second place -- is a director competitor to Coinhive which asks for a smaller percentage of mined revenue in an effort to undermine its rival.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Various worms, botnets and malvertising campaigns make up the remainder of the top ten. The Ramnit banking trojan almost features -- but unlike FlawedAmmyy, it doesn't provide attackers with remote access to the PC, but rather focuses on banking credentials in browsers.

Ransomware used to feature heavily in the Check Point threat round-ups, but has disappeared off the radar since the file-locking malware was at its height.

However, that doesn't mean that it isn't a threat to organisations -- it has just become far more linear in its targeting, with attackers conducting campaigns against a smaller number of victims, but in such a way that results in high returns.

"While last year WannaCry and other ransomware was widespread, this year, ransomware attacks are very targeted. They've became boutique attacks, where there's a specific asset that's targeted," said Horowitz.


Editorial standards