Research Saturday 3.31.18
Ep 29 | 3.31.18

Chasing FlawedAMMYY.


Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Ryan Kalember: [00:01:02] This was part of a very, very large malware campaign that thankfully didn't get through to any of our customers. But it's the size of thing that we certainly pay attention to.

Dave Bittner: [00:01:11] That's Ryan Kalember. He's Senior Vice President of Cyber Security Strategy at Proofpoint. He's describing a newly discovered remote access Trojan called FlawedAmmyy that's been used in malicious email campaigns as far back as 2016.

Ryan Kalember: [00:01:26] And it had all the hallmarks of a particular, you know, malware crime group that we call a threat actor. We identify it as Threat Actor 505. They're really responsible for over 90 percent of all the malware on the Internet, and they run one of the biggest botnets that's out there, which is known as the Necurs botnet. So we pay attention to pretty much everything that they do. Once we saw the campaign - even though we had blocked it, of course - we started doing a little bit more research into, you know, what the payload looked like and how it would behave if someone were to have received it and infected themselves. And that's where we started to see it get interesting.

Dave Bittner: [00:02:06] So, take us through some of the details here. You call this FlawedAmmyy. What's the background? How'd you come up with that name?

Ryan Kalember: [00:02:13] So this is a corrupted version of a, really, a quite legitimate tool that is used for remote desktop administration - the sort of thing that would be known as a good kind of RAT as opposed to the bad kind of RAT. And there's lots of these tools that occasionally get used for good or for evil, and in fact one of the hallmarks of modern cybersecurity is that the attackers use a lot of the same administrative tools that we use to manage our own computers and networks for their own nefarious purposes.

Ryan Kalember: [00:02:45] Once we started digging around, we realized that the source code to this Ammyy tool had leaked, and the attackers were able to basically develop their own malicious version of it. And that obviously led us to the name FlawedAmmyy - which is not the most creative thing we have ever done, to be completely candid - but I think it really accurately describes what's been doing here, or what they've been doing here, rather.

Ryan Kalember: [00:03:09] And then, looking a little bit deeper, we found that this has actually been used since the beginning of 2016. It wasn't used in quite the same way it was last week, where it was a really, really large campaign, multi-million message campaign that we saw. And we do see a lot of the world's email, of course, but we don't see it all. We actually were able to trace back, since the beginning of 2016, some narrow, highly-targeted attacks that went after some really more interesting targets like the automotive industry, as well as a few other vertical industries.

Dave Bittner: [00:03:44] You said this was a large attack, and certainly millions of emails qualifies as big. Was this more of a shotgun approach, or did it seem like they were targeting anyone in particular?

Ryan Kalember: [00:03:54] Well it was the typical TA505 approach. We've seen it before with malware like Locky and Dridex, GlobeImposter - they're all different things that this really large group has sent out. Well, they might not be a large group in terms of human capacity, but they certainly are in terms of their ability to spread malware. They, uh, they maintain these broad lists, right? And they, in some cases, actually even use an affiliate model to send out these huge volumes of malware.

Ryan Kalember: [00:04:24] So that's not necessarily targeted in any meaningful sense, but since they do have, sort of like a marketing campaign would have a list of potential recipients, you know, they have their own database of contacts that they send to. It was targeted, in that sense, by the Necurs botnet to, you know, millions and millions of recipients worldwide.

Ryan Kalember: [00:04:47] You know, that said, once an infection occurred they could do some very, very specific things that aren't similar to what a banking Trojan or ransomware - which this group is actually more commonly associated with - would do. You know, ransomware pretty much behaves the same way every single time, and banking Trojan does the same. In this case, they would have full control over all of these machines. That would mean they could steal all the files, steal all the credentials. They could create their own kind of extension to the existing botnet out of this very, very large group of likely compromised computers that would have been infected by this.

Ryan Kalember: [00:05:27] And certainly they could look around for more targeted specific types of data, or even specific machines, that were caught up in the broad campaign if they were looking for, say, an individual organization's data or proprietary IP. All of that would be on the table given how a RAT behaves, especially one that's built the way that FlawedAmmyy is.

Dave Bittner: [00:05:50] So let's walk through the delivery of this. How would someone find themselves infected?

Ryan Kalember: [00:05:55] So the first thing that they'll see is the typical malicious message that looks enticing to click on. In this case, it was a kind of clever technique in that the message was sent from the recipient's own domain. So if, for example, it was sent to me, it would have been spoofed from @proofpoint[.]com. Interestingly, you know, very few organizations actually authenticate their email, so most of the time these spoofs are delivered. Of course, it wouldn't have been to, but for your typical organization who hasn't implemented a protocol called DMARC and authenticated their email, it would have gotten right through.

Dave Bittner: [00:06:32] Right.

Ryan Kalember: [00:06:32] And that actually is a fairly common technique and it is part of a lot of these large campaigns, and very often organizations won't even take fairly simple steps to, you know, put a tag in the subject line that says, hey, this came from an external source even though it's pretending to come from the domain that we all share for our email addresses.

Ryan Kalember: [00:06:53] So that was actually the first interesting thing about the campaign. It had a subject line that I believe was receipt number, if I recall correctly, with some random digits. That's very, very common in these kinds of things. And interestingly, the attachment was a URL file that was in a zipped archive. So, again, the sort of thing that does pretty well in evading certain types of malware detection. We recognize the URL as an executable file, and that's why we blocked it for our customers. But that doesn't seem to have been the case for all types of defenses.

Dave Bittner: [00:07:29] What typically is a URL file used for?

Ryan Kalember: [00:07:32] That's a good question actually. A URL file is basically going to be interpreted by Windows as an Internet shortcut. But, in this case, the shortcut wasn't actually to any sort of HTTP or HTTPS site. What it did instead is, when you clicked on it, it downloaded and then executed a JavaScript file over what's known as the SMB protocol - made very, very famous by WannaCry and NotPetya, and lots of other things. But it's Server Message Block, really, how file sharing occurs over traditional legacy networks.

Ryan Kalember: [00:08:06] You know, so it wasn't going to a website, it was going to a JavaScript file over SMB, which was very, very interesting. That JavaScript file then would download a tool called Quant Loader, which is sort of an intermediary kind of downloader payload, and then the final payload was the FlawedAmmyy RAT.

Dave Bittner: [00:08:28] Now, you would get a pop-up window right? That would - that you would have to open the file. Is that correct?

Ryan Kalember: [00:08:33] Oh yeah, it was a zipped file. There was there was no reason you'd have to open it at all. In fact, it would just be an email attachment that you would then have to unzip and then actually click on the URL file. So you had to do a couple of different steps, very much like a lot of modern malware where, you know, you have to click on "enable content" in the macro laden Word document, or you just have a, you know, innumerable variations on sending users executable code and then trying to trick them into running it. Because, you know, it's 2018 and it is much easier to fool a user into giving you a remote code exec than it is to fool a computer into giving you the ability to run code on it.

Dave Bittner: [00:09:13] Yeah, that's an interesting insight. I mean, it's a - I suppose it's really a numbers game.

Ryan Kalember: [00:09:18] It is absolutely a numbers game. But it's also a case of, why do something hard when you could do something easy? You know, over 99 percent of the threats that we see do not involve a vulnerability that's not patched, or even one that is patched, because attackers have realized that, you know, they want people to run code for them and they're pretty good at tricking people into doing that.

Ryan Kalember: [00:09:40] It's much, much easier to come up with a clever lure, figure out how to get somebody to click on it a couple of times, maybe click on a dialog box, versus finding a vulnerability and then overcoming all of the mitigations in modern operating systems and browsers that are designed to prevent you from exploiting that vulnerability. So, not only is finding a vulnerability hard, writing an exploit for it is hard. But, at the same time, there's that vulnerability in between the chair and the keyboard which is always exploitable.

Dave Bittner: [00:10:07] So someone goes and does the clicking, against advice from the security team, and finds themselves infected with this. What happens next?

Ryan Kalember: [00:10:17] Well, at that point, the attacker has full control of the target machine, and they can do whatever they want. At this point, we don't have a lot of telemetry what they were doing, but what they would have been capable of doing is basically doing pretty much whatever they like with the target machine - again, making it part of a botnet, looking for any data that they might find interesting on it. What is very frequent is they'll also harvest credentials from a target machine to either use in further attacks or try and use to leverage the data or to get the data rather that those credentials would have had access to. And it's really open season once you have RAT installed on a target machine.

Dave Bittner: [00:11:00] Now, is this the sort of thing that a typical antivirus program would have detected?

Ryan Kalember: [00:11:04] I think it would have, at least after the initial campaigns, flagged it as malicious. That said, it's really hard for an endpoint product to realize that a user opening a zip file, clicking on a .url file - again, one that behaves relatively normally compared to most enterprise network traffic, right? It was just going to a "file://" address and not an HTTP or HTTPS slash slash address.

Ryan Kalember: [00:11:33] And then downloading that bit of JavaScript - again, the user is doing the hard work here. They're running the code. So it's hard to tell apart from something that the user might be doing legitimately. It wasn't packed with any of the classic things that even Next-Generation antivirus, as they're called, look for. So it had a lot of those sort of clever evasion techniques that are often extremely effective against mitigations that you might apply on the endpoint.

Ryan Kalember: [00:12:02] In this case, you know, when you have an executable that doesn't have a previously known reputation, you have to catch it based on its behavior or something along those lines. So there would have been a fair chance that some of the endpoint tools would have caught it. Looking at things like VirusTotal, it was clear that it got through quite a lot of endpoint defenses, though.

Dave Bittner: [00:12:24] Can you describe to us, I'm curious about - you mentioned that this TA505 group runs a botnet. Can you describe to us, what do they have there?

Ryan Kalember: [00:12:34] That's a great question. So TA505 - or at least as we call them, they have lots of other names - they run this Necurs botnet. N-E-C-U-R-S. One of the bigger ones in the world, and they use that botnet for all kinds of different things. Historically, they've used it to try and send out banking Trojans to people in order to basically inject themselves into web sessions and steal money. Banking Trojans are fairly hard to develop actually, compared to other pieces of malware like ransomware, which is a substantially similar enterprise.

Ryan Kalember: [00:13:05] So we saw them actually shift from a very famous banking Trojan, known as Dridex, to the Locky ransomware, which became famous in its own right a couple of years ago. And again, they're using this botnet to just send out millions, tens of millions, in a few cases, hundreds of millions, of emails in each campaign. So really they are responsible for a shocking percentage of the world's malware infections by volume. Maybe not the most interesting attacker in the world, but they are the biggest player when it comes to kind of worldwide infections.

Ryan Kalember: [00:13:39] That botnet, though, occasionally gets used for different things. So, for example, you know, they're going to go where the money is and monetize the botnet however they can. So, oddly enough, the botnet over the last couple of weeks has really just been sending spam, which they can monetize in certain ways and can keep the money flowing while they do things like invest in new tools. FlawedAmmyy's a really good example of that. There was certainly a development cycle in taking the sort of stolen source code for this remote administration tool and turning it into a remote access Trojan. You know, that's the sort of work that, you know, takes a couple of weeks.

Ryan Kalember: [00:14:22] And this group in particular - although, you know, the botnet doesn't go away over the holidays - this group does tend to quiet down somewhere between sort of mid December and usually sometime in the first couple of months of the year. And they seem to come back with a completely new trick every time they do that. And in this case it was the FlawedAmmyy campaign, which was a fairly different thing than anything they had done before, and gives them a variety of opportunities to monetize all these compromised computers, which will either become part of the Necurs botnet or they're going to leverage in other ways.

Dave Bittner: [00:15:00] Now, do you have any sense for what part of the world they're coming from, and also are they targeting particular parts of the world in their attacks?

Ryan Kalember: [00:15:08] This group is - based on a lot of what they do and a lot of the things that end up in their code - very, very likely to be Eastern European or Russian in origin. That said, they run an affiliate model, so it's very much a complex exercise to ever tie this back to individual humans. They're not known to be state-sponsored in any meaningful way. And they they are equal opportunity. For years, they were hitting Europe harder than they were hitting the US, for example. They've also gone hard after Australia in certain campaigns in the past.

Ryan Kalember: [00:15:48] But, you know, their infrastructure is large enough and automated enough that they can really target the whole world, and they can do so in sort of waves of email that are timed to maximize their infection rates. And we are very, very clear on the fact that, you know, they're they're good at monitoring how successful they are, how effective each of these campaigns are. And they'll change their techniques constantly. And sometimes that's a big change like with FlawedAmmyy. In other cases, it's a minor tweak, like they're doing something slightly different with macros or they experimented with what's known as DDE - Dynamic Data Exchange - which is something that was built into Microsoft Office many, many, many years ago, and allowed a payload to be downloaded within that Office document by a user clicking OK a bunch of times.

Ryan Kalember: [00:16:39] So they're very, very good at changing the technique all the time. But what's really distinguished them, as well as lots of other threat actors these days, is that they don't actually use very many vulnerabilities at all. They're not the sort of group that is going to be coming up with zero-days, although in the past they've used very, very recently disclosed vulnerabilities that were reliable exploits. They don't actually even rely on on zero-days in order to be effective in compromising huge amounts of computers worldwide.

Dave Bittner: [00:17:11] In terms of advice for folks to protect themselves against FlawedAmmyy, what would you suggest?

Ryan Kalember: [00:17:16] FlawedAmmyy we've seen mostly disseminated via email. So the best way to stop that is to make sure that you have an email gateway that stopping any executable content from coming in to your users to begin with. So FlawedAmmyy in particular is using this fairly novel .url technique. Then again, it is pretty much a variant of a lot of different things that we've seen from numerous actors over the last couple of years where, you know, they're sending people zipped JavaScript or stuff like that, which you wouldn't think many people would click on, but they do. So the easiest way to stop something like FlawedAmmyy is to make sure that whatever you are using as an email gateway makes sure to strip out any executable content.

Ryan Kalember: [00:18:04] Users should also be made aware that they're being targeted in these ways. If you get a receipt, as in the FlawedAmmyy campaign, from an email address you don't recognize - even if it's sent from your own company's domain - that is worth paying attention to. I think this is a good case in which a lot of organizations can benefit from a really, really easy thing to do, which is to put "external" in the subject line whenever that email is coming from outside, because users might think twice and say, oh wait, it's pretending to come from somebody in my organization, but it says external. Now this looks suspicious to me.

Ryan Kalember: [00:18:39] Of course, user awareness training is a bit of a moving target. It's something that a lot of people are investing in, and it will never be perfect, but it's a good thing to add to the overall mix of defenses that actually do turn out to be pretty effective against things like FlawedAmmyy.

Dave Bittner: [00:18:58] Our thanks to Ryan Kalember from Proofpoint for joining us. You can find all the information about the FlawedAmmyy RAT on the Proofpoint website. It's in their blog section.

Dave Bittner: [00:19:08] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:19:16] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.