Microsoft Office Publisher file (.pub) is being used with the subject line “Payment Advice” and is targeting bank domains. After research was conducted, the emails were found to contain URLs that cryptically downloaded FlawedAmmyy, which is a remote-access trojan (RAT) using a backdoor tool that gives attackers the ability to control a victim’s computer from an offsite location. Initially, when the file is opened it looks harmless. However, after clicking “ThisDocument” in Microsoft Publisher when using the Virtual Basic Editor, a VBScript is executed, triggering the RAT archive. Control Objects are used in the forms to hide the URL it is attempting to access, but after an investigation, it was found in the Tag Property. Machine information in the likes of “id,” “os,” “names,” and credentials is then transferred to the attacker. Although this RAT has been used before, specifically by the threat group TA505, this campaign is unique since it uses Microsoft Publisher .pub files, and it was specifically targeted at banks.
FlawedAmmy is Back to Targeting Banks
August 20, 2018