New FlawedAmmyy RAT steals data and intercepts audio chat

The FlawedAmmyy RAT has been developed using the leaked source code of Ammyy Admin, a legitimate remote desktop software.

Proofpoint researchers have discovered a remote access Trojan (RAT) that remained undocumented until now and is serving as a malicious payload in two heavy-weight email campaigns identified on March 5th and 6th 2018.

Researchers have noted that this RAT, dubbed as FlawedAmmyy, has been in use since the onset of the year 2016. It is now being used in some well-targeted email attacks and widespread, multi-million message schemes. Most of the attacks are targeted against automotive industry and the campaigns provide attackers full access to systems running MS Windows.

The researchers call it FlawedAmmyy because it is developed using the leaked source code for a legit app Version 3 developed for Ammyy Admin remote desktop software. Whoever installs this app is secretly spied upon by the attackers.

“We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more,” stated Proofpoint researchers.

These massive spam campaigns are believed to be launched by threat actor TA505, who has already been involved in a number of large-scale campaigns involving Locky, Dridex and Globelmposter ransomware. It is worth noting that TA505 is a prolific hacker group that experts believe has been active since 2014.

The phishing emails contain a ZIP file containing .url attachments. These emails are sent to generic subjects such as bills, receipts and/or invoices while the attachment appears as a transaction. The .url files serve as links to websites and launch a web browser automatically as soon as these are clicked upon.

Ammyy Admin Leaked Source Code Used to Create FlawedAmmyy RAT

However, instead of connecting to an ‘HTTP://’ link like a normal .url file would do these files connect to a ‘file://’ link. This means if the victim opens the attachment the system will instantly download and execute a JavaScript over the SMB/Server Message Block protocol instead of launching the browser.

FlawedAmmyy RAT can acquire full control over the desktop remotely and offer hackers complete access to the system with a bright chance to steal user data including credentials and documents. The malware can also abuse audio chat. Threat actors are delivering the malware in bulk via large-scale phishing campaigns as well as targeting specific industries side-by-side.

According to researchers at Proofpoint, this is the first time that systems are being infected by a combination of two elements with malware. That is, the SMB protocol executes a JavaScript, which then downloads Quant Loader and this fetches the final payload and gets the malware FlawedAmmyy installed on the infected PC.

Another bad news is that the targeted victim is never hinted about the computer being infected. Therefore, to prevent your PC from getting infected avoid clicking on links especially those sent in emails by unknown senders and never click or download files from such emails.

“As always, users should not open attachments from senders they do not know and should be cognizant of security warnings when opening files. Layered defenses at the email gateway, IDS, and endpoint can all provide important protection for threats of this nature,” explained researchers at Proofpoint.

Ammyy Admin has been contacted to react to the use of Ammyy Admin leaked code by hackers but at the moment the company has not issued any statement in response.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.