Operators of Dridex and Locky Trojans use new AndroMut loader

Experts of the Proofpoint company found that the Russian-speaking hack group TA505 switched to using the new loader, AndroMut.

It is believed that this grouping existed at least since 2014 and is associated with such large-scale malicious campaigns as the distribution of Drirex and Shifu bankers, Locky cryptographer, as well as the extortionists Philadelphia and GlobeImposter, ServHelper backdoors and FlawedAmmyy.

Now experts noticed that in June 2019, hackers began to use the new AndroMut bootloader written in C++ to distribute RAT FlawedAmmyy.

“Proofpoint research discovered AndroMut download malware that is referred as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy”, — said researchers.

At the same time, researchers discovered that the new loader pretty much resembles the famous Andromeda malware family, which in 2017 formed one of the largest botnets in the world.

Proofpoint analysts suggest that TA505 members may use leaked Andromeda source codes, or one of the creators of the botnet collaborates with the grouping.

Application of AndroMut was recorded in two different campaigns: the first one touched users from South Korea, the second is aimed at financial institutions in Singapore, the United Arab Emirates and the United States. AndroMut is used as the first stage of the attack: the attackers spread fishing emails with malicious attachments HTM and HTML. Those, in turn, lead to Word or Excel files containing malicious macros. After opening such a file, AndroMut and then FlawedAmmyy penetrate the victim’s machine.

Researchers note that AndroMut uses several methods of protection against analysis. So, the malware checks if it is in the sandbox, examines the process names, pays attention to the movements of the mouse cursor, searches for the Wine emulator and debuggers, and also clears the memory after using important data.

“Over the last two years, Proofpoint researchers observed TA505 and a number of other players focused on downloaders, RATs, information stealers, and banking Trojans. With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern. The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019”, — report Proofpoint specialists.

Additionally, Trend Micro experts published a report on the latest TA505 campaigns this week. Researchers not only paid attention to the new grouping loader (Trend Micro analysts gave him the name Gelup), but also described another new tool in the hacker’s arsenal, FlowerPippi malware.

Read also: The new version of the Dridex banker slipping from antiviruses

FlowerPippi also has loader and backdoor capabilities, so, it can be used to deliver additional malware to an infected machine. According to Trend Micro, this backdoor is also used to collect and steal information, and to execute arbitrary commands that it receives from the management server. All technical details about FlowerPippi can be found in a separate expert report.