The cybercriminal group TA505 appears to have launched two malware campaigns last June, delivering the FlawedAmmyy RAT to victims in multiple countries using the newly created downloader program AndroMut.
Both campaigns infected victims using phishing emails with links for downloading Microsoft Word and Excel files, according to a July 2 blog post by Proofpoint If enabled, the malicious macros embedded within those files would execute an Msiexec command that downloaded and executed AndroMut or the FlawedAmmyy loader. Either way, the loader would deliver the FlawedAmmyy RAT.
One of the campaigns targeted South Koreans, while the other sought out financial institutions in Singapore, the United Arab Emirates and the U.S. In both cases, the subject lines in these phishing emails contained financial document terminologies such as “invoice,” “remittance” or “estimate.”
Proofpoint reports that AndroMut is written in C++ programming language, communicates with its C2 server via HTTP POST requests, and seems to share certain code and behavior with Andromeda and QtLoader malware (although the researchers expressed low confidence in these overlaps).
AndroMut also features multiple anti-analysis processes, including checking for sandboxing, mouse movement, the Wine emulator and debuggers. And its creates persistence in one of two ways, depending on user privileges: “by either scheduling a task that executes a created LNK file in the Recycle Bin or via the ‘Registry run’ method,” Proofpoint explains.
“With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual ‘follow the money’ behavioral pattern,” the Proofpoint blog post concludes. “The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload, appears to be TA505’s new pet for the summer of 2019.”