Via a specially crafted Excel email attachment, attackers can use malicious macro functions and a “complex infection chain” to run the RAT in memory. FlawwedAmmy rose to notoriety during email campaigns in March 2018. It’s thought to have targetted finance and retail and allows full remote access to the PC. Microsoft discovered the campaign with the help of anomaly detection. It says the attack starts with a .xls attachment in with Korean content. “When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory,” explained Microsoft Security Intelligence on Twitter. “This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory.” Of course, users should never open .xls files from unverified senders, nor should they be enabling macros in Excel by default. Clearly, though, Microsoft thinks this is enough risk that to be warning users. The good news is that customers with Windows Defender ATP should be safe. The software was able to use machines learning protections to successfully block all components on first sight. This should limit the impact on organizations. Earlier in the month, the company also warned that attackers are exploiting a flash player exploit via Excel to gain full control of PCs, in what’s thought to be a nation-state attack. The flaw has since been patched, but it’s clear Excel users should be especially cautious.
