Hundreds of thousands of emails containing a malicious PDFs are delivered via a widespread spam campaign, orchestrated by the well-known cybercriminal group TA505. The PDFs are infected the FlawedAmmyy RAT using a new vector: SettingContent-ms files. – The SettingContent-ms file format was introduced in Windows 10; it allows a user to create “shortcuts” to various Windows 10 setting pages. – Using this approach the malware flyes under the radar, and simply bypass Windows 10 cyber defenses: Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.
Getting victims to open a malicious file format attached to an email it is always a challenge. In June researchers saw campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but earlier this week they also observed them being used with PDF documents – a previously unknown technique.
When this infected PDFs are opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file. If the victim clicks “OK”, the PowerShell command contained within the <DeepLink> element deploys the FlawedAmmyy RAT.
Nowadays your infected device has all the information a hacker needs to launch further attacks on you; In order to stay away from any threats like this, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The RAT is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support, and audio chat. This means that hackers will have complete access to your device.
FlawedAmmyy was seen in two massive campaigns, potentially creating a large base of compromised computers, as well as creating opportunities for hackers to steal customer data, proprietary information, and many more valuable things.
The TA505 group is based on email messages, as well as payload and other identifying characteristics. They are responsible for enormous malspam campaigns that make use of the Necurs botnet to distribute a range of payloads, including the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking trojan, and several others, in very high volumes. This hacker group tends to operate at very large scale and sets trends among financially motivated hackers.
We would continue to monitor this big cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.