Recently, researchers from Trustwave discovered a spam campaign aimed at spreading the FlawedAmmyy Remote Access Trojan (RAT). Although small in scale, it is highly targeted. From the recipient’s address of the email, the attacker’s goal seems to be the major banks.
Trustwave researchers wrote in a blog post: “So when we saw an email sample with a .pub attachment (Microsoft Office Publisher file) and the subject “Payment Advice”, our suspicions were aroused. Surely this file would not be delivering anything useful to the user.”
Microsoft Office Publisher is a desktop publishing application released by Microsoft in 1991 and is only available for Windows. Coupled with the limited page layout feature, it is not widely used. From the positioning of Microsoft’s Publisher, its target users are mainly small and medium-sized enterprises that do not have professional professionals to produce marketing materials and other documents.
In some of the spam emails that were previously reported, the attachment formats we usually see are generally .doc or .docx, .xls or .xlsx, .pdf, or even .iqy, and have barely seen .pub. But in this activity, this rare format has appeared.
Similar to attachments in other formats, opening the .pub file will prompt you to enable macros. Earlier versions of Microsoft Publisher may display prompts for “Enable Editing” and “Enable Content”.
Manually opening the VBA editor in Microsoft Publisher and clicking ThisDocument under Project Explorer will display VBScript, and the macro script will be triggered by the function Document_Open(). Simply put, when the file is opened, the script will access the URL and execute the downloaded file.
The malicious code uses the control object in the form to hide the URL it will access (the URL used to download the FlawedAmmyy RAT). If we double-check the properties, we will find this URL in the Tag property.
FlawedAmmyy RAT is a favourite backdoor tool that allows an attacker to take control of your device without your knowledge. Last month, researchers from the network security company Proofpoint also discovered the FlawedAmmyy RAT in another spam email campaign and noted that the hacker organisation TA505 initiated the event.
Although Trustwave researchers have not made it clear that the operator behind the event is also TA505, the same malware (FlawedAmmyy RAT) spread by the game has indeed sent information about the infected system to the attacker. , such as victim ID, operating system version, username, and credentials.
From the recipient’s address of the email, they all belong to the bank, which indicates that the attacker seems to want to establish a foothold within the target banking system through the FlawedAmmyy RAT to carry out the next attack.