Malicious Office files are seen distributing FlawedAmmyy RAT
SonicWall Capture Labs Threat Research Team identified a new wave of malicious Office files being used to distribute Remote Administration Tool belonging to FlawedAmmyy family. It has been observed that both MS-Excel and MS-Word files containing VBA Macro code are used to download and execute the FlawedAmmyy malware.
Macro code is executed upon enabling macros when the Office file that comes as an email attachment is opened, its purpose is to download a Windows Installer file (MSI file) and execute it.
MSI file on execution further drops a file in folder “%systemdrive%\programData\”. Dropped filename observed to be either WSUS.exe or hkmoov.exe and belongs to FlawedAmmyy family. MSI file and dropped file have a valid digital signature.
Different variants of Office files that have this behavior are spotted in the wild.
The first variant was spotted on 20-May-2019. Upon opening the malicious Office attachment, an image is displayed with a message in the Korean language to enable Macros as shown below:
This variant contains malicious code in a single subroutine which is executed as soon as the macros are enabled after opening the file as shown below:
As can be seen in the above image, the tag part of UserForm in Macro contains a URL from where the payload is downloaded.
The second variant was first observed on 27-May-2019. The only change observed in this variant is that the malicious code was moved into multiple modules as shown below:
The third variant was first observed on 18-June-2019. With this variant we observed a number of changes as mentioned below:
- MS-Word files were used to distribute FlawedAmmyy.
- The Windows installer [msiexec] is used to execute the downloaded payload, whereas Windows command Processor [cmd ]was used in earlier variants
- The displayed message is in the English language as shown below
The fourth variant was first observed on 19-June-2019. This variant moved back to use MS-Excel files and displays the message in the Korean language.
The malware is using a number of images in each variant having the same message as shown below:
SonicWall Capture Labs provides protection against this threat via the following signatures:
- GAV: MalOffice.J0(Trojan)
- GAV: MalOffice.J1 (Trojan)
- GAV: MalOffice.J3 (Trojan)
This threat is detected pro-actively by Capture ATP w/RTDMI
Indicators Of Compromise