Trustwave has spotted a new malspam (malware spam) campaign posing as an invoice. Malspam emails with infected invoices are nothing new. Most organisations see at least one every week. They come either as an infected Microsoft Word document or as an infected PDF.
This attack is different as the attackers are using Microsoft Publisher. It is targeting banks rather than enterprises and will install the FlawedAmmyy RAT malware. It is a small campaign being distributed via the Necurs botnet.
How does the attack work?
It is an unsophisticated attack that goes like this:
- User get an email with the subject line “Payment Advice DHS158700155”
- The email has an attachment with the extension .pub
- When clicking on, the .pub file prompts to Enable Macros, Enable Editing or Enable Content (depends on the version of Microsoft Publisher)
- The macros run VBScript that connects to a URL and downloads the FlawedAmmyy RAT
- The attacker takes over the machine
This attack relies on user apathy around malware attachments. Users get emails with attachments all the time. This means that they have to think before they click or open them. Users should treat any unexpected email attachment, especially one claiming to be an invoice, as suspicious. It is a very common attachment attack vector. The use of .pub rather than this being a Word document may have been enough to catch out curious users.
What is the FlawedAmmyy RAT?
As its name implies, this is a Remote Access Tool. It is based on leaked source code for the Ammyy admin remote desktop software. The RAT contains a remote desktop tool, a file system manager and several other capabilities. An infected machine allows an attacker to install other malware on the computer. This allows them to steal security credentials and use the computer to carry out other attacks.
One attack vector is sending email to other users inside the same organisation. Users are more likely to accept email and open attachments from someone inside the same organisation than they are from an outsider. This makes infection by FlawedAmmyy and other RATs especially dangerous.
FlawedAmmyy has been used in other highly targeted attacks since 2016. It was last seen in July 2018 when it was used in a large-scale attack by the TA505 threat actor. That attack used infected PDF attachments and targeted new features in Windows 10.
What does this mean
Infected attachments used to spread malware are commonplace. Despite user education and attempts to catch them using security software on devices and in email servers, they still get through. Attachment contained in an email from another user inside the organisation is likely to be trusted and opened.
Trustwave gives no details on the number of machines infected in this attack. It claims that the Necurs spam botnet was used to distribute this attack. Security vendor Proofpoint refers to Necurs as the TA505 threat actor.
IT security teams need to warn users again about the dangers of opening unexpected attachments. Users should patch all software, especially their security software.