2018-11-30 - QUICK POST: FLAWED AMMYY RAT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-11-30-malspam-pushing-Flawed-Ammyy-0713-UTC.eml.zip   46.0 kB (45,953 bytes)
• 2018-11-30-Flawed-Ammyy-infection-traffic.pcap.zip   804.7 kB (804,734 bytes)
• 2018-11-30-malware-and-artifacts-from-Flawed-Ammyy-infection.zip   450.4 kB (450,356 bytes)

NOTES:

• More info in a recent blog post from Morphisec titled: Morphisec Uncovers Global "Pied Piper" Campaign.

 

IMAGES:

Shown above:  Screenshot of the malspam and attached Word doc.

 

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Step 1 - Word macro retrieves MSI file.

 

Shown above:  Step 2 - MSI file retrieves and installs Flawed Ammyy.

 

Shown above:  Step 3 - Flawed Ammyy callback traffic.

 

Shown above:  Flawed Ammyy persistent on an infected Windows host.

 

Click here to return to the main page.