FlawedAmmyy is a remote access Trojan (RAT) which is based on leaked Ammyy Admin software. Ammyy Admin is a popular remote access tool used by businesses and consumers to handle remote control and diagnostics on Microsoft Windows machines which makes the FlawedAmmyy RAT to exhibit the functionality of the leaked version, including remote desktop control, file system manager, proxy support and audio chat.
FlawedAmmyy was used in both massive campaigns such as phishing campaigns, to potentially create a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more. In the latest campaign of TA505 which is a prolific Cybercriminal group known for attacks against multiple financial institutions and retail companies, they started using HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target South Korean users.
Upon infection, the RAT can enable potential attackers to perform a variety of malicious activities such as:
- Gain complete access to PCs’ camera and microphone
- Capture screenshots
- Access a variety of services, steal files and credentials
- Steal customer data, proprietary information and more
Capabilities
- Information Theft
- Backdoor commands
Impact
- Financial Loss - steals financial information of user
- Compromise system security - with backdoor capabilities that can execute malicious commands
- Violation of user privacy - gains complete access to camera and microphone of user
Infection Routine
File Reputation
| Detection/Policy/Rules | Pattern Branch/Version | Release Date |
|---|---|---|
| Trojan.W97M.FLAWEDAMMY.AC Backdoor.Win32.FLAWEDAMMY.AN Trojan.X97M.FLAWEDAMMYY.C Trojan.Win32.FLAWEDAMMYY.AA Trojan.HTML.FLAWEDAMMYY.E Backdoor.Win32.FLAWEDAMMY.SMA | ENT OPR 15.196.04 | June 25, 2019 |
Predictive Machine Learning
| Detection | Pattern Branch/Version |
|---|---|
| Troj.Win32.TRX.XXPE50FFF031 Downloader.VBA.TRX.XXVBAF01FF004K0010 | In-the-cloud |
Web Reputation
| Detection/Policy/Rules | Pattern Branch/Version |
|---|---|
| URL Protection | In-the-cloud |
Anti Spam
| Pattern Branch/Version | Release Date |
|---|---|
| AS Pattern 4690 | June 18, 2019 |
Solution Map - What should customers do?
| Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Predictive Machine Learning | Web Reputation |
|---|---|---|---|---|---|---|
Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG (12.0) | |||||
Worry-Free Business Security | Standard (10.0) | |||||
| Advanced (10.0) | Update pattern via web console | |||||
| Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Not Applicable | Enable Web Reputation Service and update pattern via web console |
| InterScan Messaging Security | 9.1 | |||||
| InterScan Web Security | 6.5 | |||||
| ScanMail for Microsoft Exchange | 14.0 | |||||
| Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendations
- Make sure to always use the latest pattern available to detect the old and new variants of FlawedAmmyy malware.
- Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.
