Cybercriminals from TA505 abuse SettingContent-ms files to deliver FlawedAmmyy RAT

Delaware, USA – July 25, 2018 – TA505 cybercriminal group has been known for 4 years with its large-scale malspam campaigns distributing banking trojans, ransomware and infostealers borrowing the infamous Necurs botnet. In early March, the group weaponized FlawedAmmyy RAT, which allows them to remotely control an infected system and provides access to all files on the computer. This remote access trojan has been used since the beginning of 2016 by multiple threat actors both in targeted attacks and large-scale campaigns.
Recently, researchers from CyberByte reported a massive spam campaign targeted Windows 10 users, in which TA505 group used a new technique of infection abusing SettingContent-ms files. Since the end of June, cybercriminals sent hundreds of thousands of emails spreading malicious MS Word documents with an embedded shortcut file, but after the release of Microsoft July updates, they switched to sending PDF files. When a victim opens the malicious document, Adobe Reader asks users if they want to open the file, and if they agree, it runs PowerShell script that installs FlawedAmmyy RAT.

Despite the updates and changes to the lists of dangerous OLE objects, the abusing of SettingContent-ms files for malware delivery is still the effective technique used by attackers. To detect FlawedAmmyy RAT, you can use your existing security solutions and the Sigma rule from Threat Detection Marketplace: