Pied Piper phishing scheme infests victims with FlawedAmmyy, RMS RATs

News by Bradley Barth

The cyber-criminal threat group TA505 is a key suspect in an ongoing phishing campaign that's been attempting to infect victims with the FlawedAmmyy and Remote Manipulator (RMS) remote access trojans.

The cyber-criminal threat group TA505 is a key suspect in an ongoing phishing campaign that’s been attempting to infect victims with the FlawedAmmyy and Remote Manipulator (RMS) remote access trojans.

Dubbed Pied Piper, the campaign was observed targeting a supplier to several well-known food chains, including Godiva Chocolates, Yogurtland and Pinkberry, according to a 29 November blog post from Michael Gorelik, CTO and vice president of research and development at Morphisec, whose researchers uncovered the threat. "We can only assume others could also be hit soon, if the C&C servers aren’t disabled," Gorelik said in the report.

Known to specialise in banking malware and ransomware, TA505 has recently displayed a growing interest in RAT malware, as evidenced by a similar report this month from Proofpoint, which linked TA505 to a newly discovered remote access trojan nicknamed tRAT.

Much like TA505’s tRAT campaign and other recent phishing campaigns featuring the Ammyy Admin RAT, the Pied Piper operation distributes Microsoft Office documents as attachments and attempts to trick victims into enabling malicious macros that execute the infection chain. In this case, the Microsoft Publisher (.pub) attachments were typically disguised as business invoices.

Once enabled, the macro installs a scheduled task that executes the next stage — a tactic designed to subvert AV protections. The task then executes a PowerShell command that downloads an MSI installer containing an downloader in the form of an executable file named MYEXE. This downloader searches infected machines for AV solutions, and then downloads the main payload as a temp file.

An investigation into the RATs’ signed certificates ultimately revealed that the same actor "has been pushing RMS RAT for more then a month and other remote access trojans for a couple of years," Gorelik said in the post.

In the course of their analysis, Morphisec researchers also found traces of documents from a different attack from two weeks earlier that targeted users in Spain and other unnamed countries. In this attack, the images in the documents were specifically tailored to the target’s language.

According to Gorelik, FlawedAmmyy gives attackers "full access to the victim’s PC, allowing them to steal files, credentials, collect screengrabs and access the camera and microphone. Attackers can also move laterally through the network, serving as a potential entry point for a major supply chain attack." 

In a 30 November update, Morphisec referenced a second attack linked to the same actor and C&C server.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews