There has been a recent uptick in phishing emails attempting to deliver the FlawedAmmyy remote access trojan (“RAT”). If successful, this RAT may provide malicious actors with full control of affected systems, including Remote Desktop control, proxy support, audio chat, and file system manager functionalities.
Recent emails in this campaign have a Subject line beginning with “Invoice for” followed by random numbers and the date. Emails have an MS Word attachment titled “Invoice” with random numbers. If a recipient opens the attachment and enables the macro, FlawedAmmyy is downloaded onto their device.
Please be reminded of the following:
- Do not to open unexpected attachments, even when attachments appear to come from a known person or entity.
- All embedded links in email messages should be evaluated for security before you click them, even when the the email appears to come from a known person or entity.
- To confirm that attachments are safe to open, contact the sender at a trusted phone number to verify.
- For information on evaluating URLs and recognizing phishing scams, please the following NYU KBase article, Recognizing phishing scams and protecting yourself online.
- If an embedded link takes you to a login page where you are asked to input your credentials or supply other sensitive/confidential information, it is suggested that you instead visit the website of the business/entity at issue by typing the URL into your browser’s address bar, and log into the legitimate (vs.a potentially spoofed) site.
For a technical description and removal instructions for FlawedAmmyy, please see: https://www.symantec.com/security-center/writeup-print/2018-092813-5722-99