Operators of Dridex and Locky Trojans use new AndroMut loader

Experts of the Proofpoint company found that the Russian-speaking hack group TA505 switched to using the new loader, AndroMut.

It is believed that this grouping existed at least since 2014 and is associated with such large-scale malicious campaigns as the distribution of Drirex and Shifu bankers, Locky cryptographer, as well as the extortionists Philadelphia and GlobeImposter, ServHelper backdoors and FlawedAmmyy.

Now experts noticed that in June 2019, hackers began to use the new AndroMut bootloader written in C++ to distribute RAT FlawedAmmyy.

“Proofpoint research discovered AndroMut download malware that is referred as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy”, — said researchers.

At the same time, researchers discovered that the new loader pretty much resembles the famous Andromeda malware family, which in 2017 formed one of the largest botnets in the world.

Proofpoint analysts suggest that TA505 members may use leaked Andromeda source codes, or one of the creators of the botnet collaborates with the grouping.

Application of AndroMut was recorded in two different campaigns: the first one touched users from South Korea, the second is aimed at financial institutions in Singapore, the United Arab Emirates and the United States. AndroMut is used as the first stage of the attack: the attackers spread fishing emails with malicious attachments HTM and HTML. Those, in turn, lead to Word or Excel files containing malicious macros. After opening such a file, AndroMut and then FlawedAmmyy penetrate the victim’s machine.

READ  Vulnerability in Vim and Neovim editors leads to code execution while opening a malicious file

Researchers note that AndroMut uses several methods of protection against analysis. So, the malware checks if it is in the sandbox, examines the process names, pays attention to the movements of the mouse cursor, searches for the Wine emulator and debuggers, and also clears the memory after using important data.

“Over the last two years, Proofpoint researchers observed TA505 and a number of other players focused on downloaders, RATs, information stealers, and banking Trojans. With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern. The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019”, — report Proofpoint specialists.

Additionally, Trend Micro experts published a report on the latest TA505 campaigns this week. Researchers not only paid attention to the new grouping loader (Trend Micro analysts gave him the name Gelup), but also described another new tool in the hacker’s arsenal, FlowerPippi malware.

Read also: The new version of the Dridex banker slipping from antiviruses

FlowerPippi also has loader and backdoor capabilities, so, it can be used to deliver additional malware to an infected machine. According to Trend Micro, this backdoor is also used to collect and steal information, and to execute arbitrary commands that it receives from the management server. All technical details about FlowerPippi can be found in a separate expert report.

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply