2018-11-30 - QUICK POST: MALSPAM PUSHING FLAWED AMMYY RAT
ASSOCIATED FILES:
- 2018-11-30-malspam-pushing-Flawed-Ammyy-0713-UTC.eml.zip 46 kB (45,953 bytes)
- 2018-11-30-infection-traffic-from-malspam-pushing-Flawed-Ammyy.pcap.zip 805 kB (804,776 bytes)
- 2018-11-30-malware-and-artifacts-from-Flawed-Ammyy-infection.zip 449 kB (449,496 bytes)
NOTES:
- Thanks to @dvk01uk, @helxax, and @bigmacjpg for discussing the email and malspam in this Twitter thread.
- More info in a recent blog post from Morphisec titled: Morphisec Uncovers Global "Pied Piper" Campaign.
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
IMAGES:
Shown above: Screenshot of the malspam and attached Word doc.
Shown above: Infection traffic filtered in Wireshark.
Shown above: Step 1 - Word macro retrieves MSI file.
Shown above: Step 2 - MSI file retrieves and installs Flawed Ammyy.
Shown above: Step 3 - Flawed Ammyy callback traffic.
Shown above: Flawed Ammyy persistent on an infected Windows host.
Click here to return to the main page.