2018-11-30 - QUICK POST: MALSPAM PUSHING FLAWED AMMYY RAT

ASSOCIATED FILES:

• 2018-11-30-malspam-pushing-Flawed-Ammyy-0713-UTC.eml.zip   46 kB (45,953 bytes)
• 2018-11-30-infection-traffic-from-malspam-pushing-Flawed-Ammyy.pcap.zip   805 kB (804,776 bytes)
• 2018-11-30-malware-and-artifacts-from-Flawed-Ammyy-infection.zip   449 kB (449,496 bytes)

NOTES:

• Thanks to @dvk01uk, @helxax, and @bigmacjpg for discussing the email and malspam in this Twitter thread.
• More info in a recent blog post from Morphisec titled: Morphisec Uncovers Global "Pied Piper" Campaign.
• Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

IMAGES:

Shown above:  Screenshot of the malspam and attached Word doc.

 

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Step 1 - Word macro retrieves MSI file.

 

Shown above:  Step 2 - MSI file retrieves and installs Flawed Ammyy.

 

Shown above:  Step 3 - Flawed Ammyy callback traffic.

 

Shown above:  Flawed Ammyy persistent on an infected Windows host.

 

Click here to return to the main page.