1. Home
  2. Software
  3. FlawedAmmyy

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]

ID: S0381
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 28 May 2019
Last Modified: 18 July 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[1]
Enterprise T1005 从本地系统获取数据

FlawedAmmyy has collected information and files from a compromised machine.[2]
Enterprise T1115 剪贴板数据

FlawedAmmyy can collect clipboard data.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FlawedAmmyy has established persistence via the HKCU\SOFTWARE\microsoft\windows\currentversion\run registry key.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

FlawedAmmyy has used PowerShell to execute commands.[2]
.003 命令与脚本解释器: Windows Command Shell

FlawedAmmyy has used cmd to execute commands on a compromised host.[2]
Enterprise T1120 外围设备发现

FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.[1]
Enterprise T1113 屏幕捕获

FlawedAmmyy can capture screenshots.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

FlawedAmmyy has used HTTP for C2.[1]
Enterprise T1001 数据混淆

FlawedAmmyy may obfuscate portions of the initial C2 handshake.[1]
Enterprise T1069 .001 权限组发现: Local Groups

FlawedAmmyy enumerates the privilege level of the victim during the initial infection.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

FlawedAmmyy can execute batch scripts to delete files.[2]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

FlawedAmmyy has been installed via msiexec.exe.[2]

.011 系统二进制代理执行: Rundll32

FlawedAmmyy has used rundll32 for execution.[2]
Enterprise T1082 系统信息发现

FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.[1]
Enterprise T1033 系统所有者/用户发现

FlawedAmmyy enumerates the current user during the initial infection.[1][2]
Enterprise T1518 .001 软件发现: Security Software Discovery

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[1]
Enterprise T1105 输入工具传输

FlawedAmmyy can transfer files from C2.[2]
Enterprise T1056 输入捕获

FlawedAmmyy can collect mouse events.[2]
.001 Keylogging

FlawedAmmyy can collect keyboard events.[2]
Enterprise T1041 通过C2信道渗出

FlawedAmmyy has sent data collected from a compromised host to its C2 servers.[2]

Groups That Use This Software

ID Name References
G0037 FIN6

[3]
G0092 TA505

[1][4][5]

References

  1. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  2. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  1. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  2. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.