FlawedAmmyy RAT (Remote Access Trojan)

FlawedAmmyy Remote Access Trojan has been created from leaked Ammyy Admin remote desktop software source code. It can steal files and credentials, install other malware as well as give the attacker use of the many functions of the Ammyy Admin software including; remote desktop control, file manager, proxy supports and chat functionality.

FlawedAmmyy has been spread via spam emails with malicious attachments. At the time of publication, there have been three major spam campaigns. The first and second campaigns used an attachment with malicious macros which would download the malware. The third campaign contained a .zip file which contains .url files. The .url file will download a JavaScript over Server Message Block protocol, which then downloads Quant Loader. Quant Loader will then download FlawedAmmyy as the final payload.

The organisation behind the attacks is thought to be TA505, a prolific hacking group that has been active since 2014, and has previously targeted victims using the Dridex banking trojan, Locky ransomware, Jaff ransomware, and more, in wide-ranging campaigns.

This trojan doesn’t provide victims with any major flags their computer has been infected. In order to avoid infection, users should avoid clicking on unexpected and strange links, especially from unknown senders.

Affected Platforms

Microsoft Windows – All versions