The TA505 hackers launched two anti-malware campaigns in June this year, providing RAT FlingAmmyy to victims in many countries using the newly created AndroMut software.
Both campaigns captured the virus using phishing emails with links to download Microsoft Word and Excel files, as stated in the July 2 Proof Point blog. Anyway, the loader will deliver the FlowerAmmyy RAT.
One of the campaigns targeted South Koreans, while the other sought out financial institutions in Singapore, the United Arab Emirates and the U.S. In both cases, the subject lines in these phishing emails contained financial document terminologies such as “invoice,” “remittance” or “estimate.”
Proofpoint reports that the AndroMut is written in the C programming language, interacts with its C2 server via HTTP POST requests, and shares certain code with Andromeda and QtLoader malware.
AndroMut has several anti-analysis processes including sandbox checking, mouse movement, wine emulator, and debuggers. The process runs the created LNK file in the Recycle Bin, or by using the Start Registry method, Prootpoint explains.
“In June 2019, in the United States, the UAE and Singapore, banks became the main victims within the framework of the usual pattern of TA505 behavior,” – reports Proofpoint. “A new AndroMut loader, combined with a FlavorAmmi RAT as payload, appears to be a new pet TA505 for summer 2019.”