Severity
Medium
Analysis Summary
Threat actors increasingly distributing downloaders, backdoors, information stealers, remote access trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functioned as a downloader. In June 2019, TA505 appears to have introduced yet another new downloader malware, AndroMut, which has some similarities in code and behavior to Andromeda, a long-established malware family. It has observed AndroMut download malware referred to as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy.
Impact
- Information theft
- Exposure of sensitive information
Indicators of Compromise
URLs
- http[:]//fakers[.]co[.]jp/[.]6[.]9_3[.][.]doc
- http[:]//greenthumbsup[.]jp/[.]6[.]9_746[.]38[.]doc
- http[:]//nagomi-753[.]jp/[.]6[.]9_784[.]9[.]doc
- http[:]//nagomi-753[.]jp/[.]6[.]9_8[.]77[.]doc
- http[:]//nanepashemet[.]com/[.]6[.]9_78[.]37[.]xls
Filename
- invoice-5601.doc
- invoice.xls
Malware Hash (MD5/SHA1/SH256)
- 3e3eb26211459eb2d8b52a2429a52e7e12d2145d7733823d7415663537a0b6ca
- 52f0aaff3654110e82586d21b07c8a3de23dc9efb3f4001daf412286282315c0
- 59af9102a921130fd1d120f6cee7fc7cdfc28292a7a4a8c24233126604aa9443
- 5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713a
- 8621fa54946096ed38aee5cbcc068c0620416a05c17328a527673e808847850d
- 98b584b31457b21d0d48fcc78093439638e15dd1705e54182d9aa4ffad014c3a
- a905838db6e6617edd9d25baaaaee9c209381d456e809081977e27c3e0b15793
- bb5054f0ec4e6980f65fb9329a0b5acec1ed936053c3ef0938b5fa02a9daf7ee
- c4963dcf6b32459740f6a3d3b4d06d9dc06f15087ca01775956df36206543301
- d0aaf465a2569abbdcbafc049be1c1a643572f4ca185058833310435bfa53358
- eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275
- f21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknowns senders.
- Never click on the link/ attachments sent by unknown senders.