Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT

Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files.

A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files.

The SettingContent-ms file format was introduced in Windows 10; it allows a user to create “shortcuts” to various Windows 10 setting pages.

“All this file does is open the Control Panel for the user [control.exe],” explained SpecterOps researchers in a recent posting on the format. “The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute ‘control.exe’ to something [malicious]?”

The answer to that question is that the substituted script, when opened, executes any command automatically, including cmd.exe and PowerShell, with no prompt to the user – making the format a perfect conduit for malware.

This approach code also flies under the radar, and the maliciously crafted files simply bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

Of course, getting victims to open a funky file format attached to an email could be a challenge, so bad actors have started embedding these into more innocent-looking attachments. Accordingly, researchers at SpecterOps in June saw campaigns abusing the SettingContent-ms file format within Microsoft Word documents. Earlier this week however, Proofpoint researchers observed the approach evolving, and being used with PDF documents – a previously unknown technique.

“On July 16 there was a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file,” Proofpoint researchers said in a posting yesterday. “The messages in the campaign used a simple lure asking the user to open the attached PDF.”

When opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript, as it would for any file format embedded within a PDF. If the intended victim clicks the “OK” prompt, and the PowerShell command contained within the <DeepLink> element deploys the FlawedAmmyy RAT, which, while active since 2016, only hit researcher radar screens earlier this years.

The RAT is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.

“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more,” Proofpoint researchers said in a blog on the discovery back in March. “We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.”

As for TA505, the firm’s attribution to the group is based on email messages, as well as payload and other identifying characteristics. TA505 is responsible for enormous malspam campaigns that make use of the Necurs botnet to distribute a range of payloads, including the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking trojan, and several others, in very high volumes. It operates a variety of C&C servers, allowing it to be resilient in the case of takedowns, sinkholes, and other defensive operations.

“TA505 tends to operate at very large scale and sets trends among financially motivated actors because of their reach and campaign volumes,” Proofpoint researchers said.

“Whether well-established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept,” Proofpoint researchers said. “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale. We will continue to monitor ways in which threat actors use this approach in the weeks to come.”

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.