CyberWire Daily - Chasing FlawedAMMYY. [Research Saturday]
Episode Date: March 31, 2018FlawedAMMYY is a newly discovered remote access trojan (RAT) that’s been used in malicious email campaigns, as far back as 2016. Ryan Kalember is Senior Vice President of Cyber Security Strategy at ...Proofpoint, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It's part of a very, very large malware campaign that thankfully didn't get through to any of our customers,
but it's the size of thing that we certainly pay attention to.
That's Ryan Calamber. He's Senior Vice President of Cybersecurity Strategy at Proofpoint.
He's describing a newly discovered remote access Trojan called Flawed Amy
that's been used in malicious email campaigns as far back as 2016.
And it had all the hallmarks of a particular malware crime group we call a threat actor.
We identify it as Threat Actor 505.
They're really responsible for over 90% of all the malware on the internet.
And they run one of the biggest botnets that's out there,
which is known as the NICORS botnet.
So we pay attention to pretty much everything that they do.
Once we saw the campaign,
even though we had blocked it, of course,
we started doing a little bit more research
into what the payload looked like
and how it would behave if someone were to have received it
and infected themselves.
And that's where we started to see it get interesting.
So take us through some of the details here.
You call this Flawed Amy.
What's the background?
How'd you come up with that name?
So this is a corrupted version of a really quite legitimate tool that is used for remote
desktop administration.
The sort of thing that would be known as a good kind of rat,
as opposed to the bad kind of rat. And there's lots of these tools that occasionally get used
for good or for evil. And in fact, one of the hallmarks of modern cybersecurity is that the
attackers use a lot of the same administrative tools that we use to manage our own computers
and networks for their own nefarious purposes.
Once we started digging around, we realized that the source code to this Amy tool had leaked,
and the attackers were able to basically develop their own malicious version of it.
And that obviously led us to the name Flawed Amy,
which is not the most creative thing we have ever done, to be completely candid. But I think it really accurately describes what they've been doing here. And looking a little
bit deeper, we found that this has actually been used since the beginning of 2016. It wasn't used
in quite the same way it was last week, where it was a really, really large campaign, multi-million
message campaign that we saw.
And we do see a lot of the world's email, of course, but we don't see it all.
We actually were able to trace back since the beginning of 2016 some narrow, highly targeted attacks that went after some really more interesting targets like the automotive industry as well as a few other vertical industries.
You say this was a large attack and certainly millions of emails qualifies as big.
Was this more of a shotgun approach or did it seem like they were targeting anyone in
particular?
Well, it was the typical TA-505 approach.
We've seen it before with malware like Locky and Drydex, Globe Impostor.
They're all different things that this really large group has sent out.
Well, they might not be a large group in terms of human capacity, but they certainly are in terms of their ability to spread malware.
And they maintain these broad lists, right?
And in some cases, they actually even use an affiliate model to send out these huge volumes of malware.
So that's not necessarily
targeted in any meaningful sense. But since they do have sort of like a marketing campaign would
have a list of potential recipients, you know, they have their own database of contacts that
they send to. It was targeted in that sense by the Nacor's botnet to millions and millions of recipients worldwide.
That said, once an infection occurred, they could do some very, very specific things that aren't similar to what a banking Trojan or ransomware, which this group is actually more commonly associated with, would do.
Ransomware pretty much behaves the same way every single time.
And banking Trojan does the same.
In this case, they would have full control over all of these machines.
That would mean they could steal all the files, steal all the credentials.
They could create their own kind of extension to the existing botnet
out of this very, very large group of
likely compromised computers that would have been infected by this. And certainly they could
look around for more targeted, specific types of data or even specific machines that were caught
up in the broad campaign if they were looking for, say, an individual organization's data or
proprietary IP. All of that would be on the table given
how a rat behaves, especially one that's built the way that Flood Amy is.
So let's walk through the delivery of this. How would someone find themselves infected?
So the first thing that they'll see is the typical malicious message that looks enticing to click on.
In this case, it was a kind of a clever technique
in that the message was sent from the recipient's own domain.
So if, for example, it was sent to me,
it would have been spoofed from at proofpoint.com.
Interestingly, very few organizations actually authenticate their email,
so most of the time these spoofs are delivered.
It, of course, wouldn't have been to proofpoint.com, but for your typical organization who hasn't implemented a protocol
called DMARC and authenticated their email, it would have gotten right through. And that actually
is a fairly common technique and is part of a lot of these large campaigns. And very often
organizations won't even take fairly simple steps to put a tag in the subject line that says, hey, this came from an external source, even though it's pretending to come from the domain that we all share for our email addresses.
So that was actually the first interesting thing about the campaign.
It had a subject line that I believe was receipt number, if I recall correctly, with some random digits.
That's very, very common in these kinds
of things. And interestingly, the attachment was a URL file that was in a zipped archive. So
again, the sort of thing that does pretty well in evading certain types of malware detection.
We recognize the URL as an executable file, and that's why we blocked it for our customers,
but that doesn't seem to have been the case for all types of defenses.
What typically is a URL file used for?
It's a good question, actually. But a URL file is basically going to be interpreted by Windows
as an internet shortcut. But in this case, the shortcut wasn't actually to any sort of HTTP or HTTPS site.
What it did instead is when you clicked on it, it downloaded and then executed a JavaScript file over what's known as the SMB protocol, made very, very famous by WannaCry and NotPetya and lots of other things.
But it's sort of a message block, really really how file sharing occurs over traditional legacy networks
you know so it's it wasn't going to a website it was going to a javascript file over smb which was
very very interesting that javascript file then would download a tool called quant loader which
is sort of an intermediary kind of downloader payload. And then the final payload was the flawed Amy rat.
Now, you would get a pop-up window, right, that you would have to open the file.
Is that correct?
Oh, yeah.
It was a zipped file.
There was no reason you'd have to open it at all.
In fact, it would just be an email attachment that you would then have to unzip
and then actually click on the URL file.
So you had to do a couple of different steps very
much like a lot of modern malware where you know you have to click on enable content in the macro
laden word document or you have or you just have a you know a innumerable variations on sending
users executable code and then trying to trick them into running it. Because, you know, it's 2018, and it is much easier to fool a user into giving you a remote code exec than it is to fool a
computer into giving you the ability to run code on it. Yeah, that's an interesting insight. I mean,
it's a, I suppose it's really a numbers game. It is absolutely a numbers game. But it's also
a case of why do something hard when you could do something easy? Over 99% of the threats that we see do not involve a vulnerability that's not patched or even one that is patched.
Because attackers have realized that they want people to run code for them, and they're pretty good at tricking people into doing that.
It's much, much easier to come up with a clever lure, figure out how to get somebody to click on it a couple of times, maybe click on a dialog box versus finding a vulnerability and then overcoming all of the mitigations in modern operating systems and browsers that are designed to prevent you from exploiting that vulnerability.
So not only is finding a vulnerability hard, writing an exploit for it is hard, but at the same time, there's that vulnerability in between the chair and the keyboard, which is always exploitable.
So someone goes and does the clicking against advice from their security team and finds themselves infected with this.
What happens next?
Well, at that point, the attacker has full control of the target machine, and they can do whatever they want.
At this point, we don't have a lot of telemetry on what they were doing,
but what they would have been capable of doing is
basically doing pretty much whatever they'd like
with the target machine. Again, making it part of a botnet, looking for any data
that they might find interesting on it. What is very frequent is they'll also
harvest credentials from a target machine
to either use in further attacks or try and use to leverage the data,
or to get the data, rather, that those credentials would have had access to.
And it's really open season once you have a rat installed on a target machine.
Now, is this the sort of thing that a typical antivirus program would have detected?
Now, is this the sort of thing that a typical antivirus program would have detected?
I think it would have, at least after the initial campaigns flagged it as malicious.
That said, it's really hard for an endpoint product to realize that a user opening a zip file, clicking on a.url file, again, one that behaves relatively normally compared to most enterprise network
traffic, right? It was just going to a file colon slash slash address and not an HTTP or HTTPS
slash slash address. And then downloading that bit of JavaScript, again, the user's doing the
hard work here. They're running the code. So it's hard to tell apart from something that the user
might be doing legitimately. It wasn't packed with any of the classic things that even next generation antivirus, as they're called, look for.
So it had a lot of those sort of clever evasion techniques that are often extremely effective against mitigations that you might apply on the endpoint. In this case, when you have an executable
that doesn't have a previously known reputation,
you have to catch it based on its behavior
or something along those lines.
So there would have been a fair chance
that some of the endpoint tools would have caught it.
Looking at things like VirusTotal,
it was clear that it got through
quite a lot of endpoint defenses, though.
Can you describe to us, I'm curious about, you mentioned that this TA505 group runs a botnet.
Can you describe to us, what do they have there? Oh, it's a great question. So TA505, or at least
as we call them, they have lots of other names. They run this NECURS botnet, N-E-C-U-R-S.
One of the bigger ones in the world.
And they use that botnet for all kinds of different things.
Historically, they've used it to try and send out banking Trojans to people in order to basically inject themselves into web sessions and steal money.
Banking Trojans are fairly hard to develop, actually, compared to other pieces of malware like ransomware, which is a substantially simpler enterprise.
So we saw them actually shift from a very famous banking trojan known as Drydex to
the Locky ransomware, which became famous in its own right a couple of years ago. And again,
they're using this botnet to just send out millions, tens of millions, in a few cases,
hundreds of millions of emails in each campaign. So really,
they are responsible for a shocking percentage of the world's malware infections by volume.
Maybe not the most interesting attacker in the world, but they are the biggest player
when it comes to kind of worldwide infections. And that botnet, though, occasionally gets used
for different things. So for example, you know, they're, they're going to go where the money is and monetize the botnet however they, uh, however
they can. So oddly enough, the botnet over the last couple of weeks has really just been sending
spam, which they can monetize in certain ways and can keep the, uh, keep the money flowing while
they do things like invest in new tools. Uh,od Amy is a really good example of that. There was certainly a development cycle
in taking the stolen source code for this remote
administration tool and turning it into a remote access
Trojan. That's the sort of work that
takes a couple of weeks. And this group in particular,
although the botnet doesn't
go away over the holidays, this group does tend to quiet down somewhere between sort of mid-December
and usually sometime in the first couple of months of the year. And they seem to come back with a
completely new trick every time they do that. And in this case, it was the Vladimir campaign,
which was a fairly different thing than anything they had done before
and gives them a variety of opportunities to monetize all these compromised computers,
which will either become part of the NICROS botnet or they're going to leverage in other ways.
Now, do you have any sense for what part of the world they're coming from?
And also, are they targeting particular parts of the world when they're attacks?
origin. That said, they run an affiliate model, so it's very much a complex exercise to ever tie this back to individual humans. They're not known to be state-sponsored in any meaningful way.
And they are equal opportunity. For years, they were hitting Europe harder than they were hitting
the US, for example. They've also gone hard after Australia in certain campaigns in the
past. But their infrastructure is large enough and automated enough that they can really target
the whole world. And they can do so in waves of email that are timed to maximize their infection
rates. And we are very, very clear on the fact that they're good at monitoring how successful they are,
how effective each of these campaigns are.
And they'll change their techniques constantly.
And sometimes that's a big change, like with Flaught Amy.
In other cases, it's a minor tweak.
Like they're doing something slightly different with macros,
or they experimented with what's known as DDE, Dynamic Data Exchange, which is something that was built into Microsoft Office
many, many, many years ago, and allowed a payload to be downloaded within an Office document by a
user clicking OK a bunch of times. So they're very, very good at changing the technique all
the time. But what's really distinguished them, as well as lots of other threat actors these days,
is that they don't actually use very many vulnerabilities at all.
They're not the sort of group that is going to be coming up with zero days.
Although in the past they've used very, very recently disclosed vulnerabilities that were reliable exploits,
vulnerabilities that were reliable exploits, they don't actually even rely on zero days in order to be effective in compromising huge amounts of computers worldwide.
In terms of advice for folks to protect themselves against flawed Amy, what would you suggest?
Flawed Amy, we've seen mostly disseminated via email. So the best way to stop that is to make sure that you have an email gateway that's stopping
any executable content from coming into your users to begin with. So the Flotami in particular is
using this fairly novel.url technique. Then again, it is pretty much a variant of a lot of
different things that we've seen from numerous actors over the last couple
of years where, you know, they're sending people zipped JavaScript or stuff like that, which you
wouldn't think many people would click on, but they do. So the easiest way to stop something
like Flawed Amy is to make sure that whatever you're using as an email gateway makes sure to
strip out any executable content. Users should also be made aware that
they're being targeted in these ways. If you get a receipt, as in the Flat Amy campaign, from an
email address you don't recognize, even if it's sent from your own company's domain, that is worth
paying attention to. I think this is a good case in which a lot of organizations can benefit from
a really, really easy thing to do, which is to put external in the subject line whenever that email is coming from
outside. Because users might think twice and say, oh wait, it's pretending to come from somebody in
my organization, but it says external. Now this looks suspicious to me. Of course, user awareness
training is a bit of a moving target. It's something that a lot of people are investing in, and it will never be perfect, but it's a good thing to add to the overall mix
of defenses that actually do turn out to be pretty effective against things like flawed aiming.
Our thanks to Ryan Calamber from Proofpoint for joining us. You can find all the information
about the Flawed Aiming Rat on the Proofpoint website. us. You can find all the information about the flawed Amy Ratt
on the Proofpoint website.
It's in their blog section.
And now, a message from Black Cloak.
Did you know the easiest way
for cybercriminals to bypass
your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.