In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.
Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.
For more information there are a few links below:
<a href “https://www.zdnet.com/article/this-new-trojan-malware-uses-leaked-source-code-of-legit-software-to-snoop-on-you/" rel="nofollow noreferrer” target=”_blank">ZDNet
Some Mitigation Strategies:
- File Integrity Management looking for the installation of files associated with the RAT
- Intrusion detection systems (IDS) would detect communication over SMB and C2
- Web Filtration would detect the use of malicious urls
- 24x7 Security Monitoring for malicious behavior and immediate incident response
According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable. It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.
In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.
Some Mitigation Strategies:
- Intrusion detection systems (IDS) to monitor for malicious communication to C2
- File Integrity Management is looking for new files being installed on the system
- Log Management would collect data on C$ shares and other lateral movement
- Mail Filtration to capture potential files attached to phishing emails
- 24x7 Security Monitoring with Focused Security Content for solid threat detection