Threat Report

Tuesday July 10, 2018

In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.

Malware: FlawedAmmyy

Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.

For more information there are a few links below:

Links:

ZDNet

Hack Dig

PasteBin

Some Mitigation Strategies:

Malware: GandCrab

According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable.
It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.

In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.

Links:

Security Affairs

Trend Micro

VirusTotal

Some Mitigation Strategies:

Patrick Snyder

Patrick Snyder
Triage Tyrant

Fearlessly leading our SOC, Patrick investigates and triages customer alerts, living on HungryMan meals and Texas toast to fuel his work with minimal interruption. A call from Patrick is both fruitful and entertaining. Patrick brings his talents to the Perch nest with nearly 20 years of experience in Information Technology eight of those focused on creating security content and security operations management. When he's not triaging your alerts, Patrick writes greeting cards for embarrassing occasions, and polishes his marionette skills.

LinkedIn