News

Operators of Dridex and Locky Trojans use new AndroMut loader

Experts of the Proofpoint company found that the Russian-speaking hack group TA505 switched to using the new loader, AndroMut.

It is believed that this grouping existed at least since 2014 and is associated with such large-scale malicious campaigns as the distribution of Drirex and Shifu bankers, Locky cryptographer, as well as the extortionists Philadelphia and GlobeImposter, ServHelper backdoors and FlawedAmmyy.

Now experts noticed that in June 2019, hackers began to use the new AndroMut bootloader written in C++ to distribute RAT FlawedAmmyy.

“Proofpoint research discovered AndroMut download malware that is referred as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy”, — said researchers.

At the same time, researchers discovered that the new loader pretty much resembles the famous Andromeda malware family, which in 2017 formed one of the largest botnets in the world.

Proofpoint analysts suggest that TA505 members may use leaked Andromeda source codes, or one of the creators of the botnet collaborates with the grouping.

Application of AndroMut was recorded in two different campaigns: the first one touched users from South Korea, the second is aimed at financial institutions in Singapore, the United Arab Emirates and the United States. AndroMut is used as the first stage of the attack: the attackers spread fishing emails with malicious attachments HTM and HTML. Those, in turn, lead to Word or Excel files containing malicious macros. After opening such a file, AndroMut and then FlawedAmmyy penetrate the victim’s machine.

Researchers note that AndroMut uses several methods of protection against analysis. So, the malware checks if it is in the sandbox, examines the process names, pays attention to the movements of the mouse cursor, searches for the Wine emulator and debuggers, and also clears the memory after using important data.

“Over the last two years, Proofpoint researchers observed TA505 and a number of other players focused on downloaders, RATs, information stealers, and banking Trojans. With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern. The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019”, — report Proofpoint specialists.

Additionally, Trend Micro experts published a report on the latest TA505 campaigns this week. Researchers not only paid attention to the new grouping loader (Trend Micro analysts gave him the name Gelup), but also described another new tool in the hacker’s arsenal, FlowerPippi malware.

Read also: The new version of the Dridex banker slipping from antiviruses

FlowerPippi also has loader and backdoor capabilities, so, it can be used to deliver additional malware to an infected machine. According to Trend Micro, this backdoor is also used to collect and steal information, and to execute arbitrary commands that it receives from the management server. All technical details about FlowerPippi can be found in a separate expert report.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-bhexusa.xyz Pop-up Ads

About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…

17 hours ago

Remove News-bhupotu.xyz Pop-up Ads

About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…

17 hours ago

Remove News-bhocime.info Pop-up Ads

About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…

17 hours ago

Remove You-hub.online Pop-up Ads

About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…

17 hours ago

Remove News-bhecudu.live Pop-up Ads

About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…

17 hours ago

Remove News-bhiciwe.today Pop-up Ads

About News-bhiciwe.today News-bhiciwe.today pop-ups can not introduce out of the blue. If you have clicked…

17 hours ago