Skip to content

S0381 FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.1

Item Value
ID S0381
Associated Names
Type MALWARE
Version 1.2
Created 28 May 2019
Last Modified 18 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FlawedAmmyy has used HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FlawedAmmyy has established persistence via the HKCU\SOFTWARE\microsoft\windows\currentversion\run registry key.2
enterprise T1115 Clipboard Data FlawedAmmyy can collect clipboard data.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FlawedAmmyy has used PowerShell to execute commands.2
enterprise T1059.003 Windows Command Shell FlawedAmmyy has used cmd to execute commands on a compromised host.2
enterprise T1005 Data from Local System FlawedAmmyy has collected information and files from a compromised machine.2
enterprise T1001 Data Obfuscation FlawedAmmyy may obfuscate portions of the initial C2 handshake.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography FlawedAmmyy has used SEAL encryption during the initial C2 handshake.1
enterprise T1041 Exfiltration Over C2 Channel FlawedAmmyy has sent data collected from a compromised host to its C2 servers.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion FlawedAmmyy can execute batch scripts to delete files.2
enterprise T1105 Ingress Tool Transfer FlawedAmmyy can transfer files from C2.2
enterprise T1056 Input Capture FlawedAmmyy can collect mouse events.2
enterprise T1056.001 Keylogging FlawedAmmyy can collect keyboard events.2
enterprise T1120 Peripheral Device Discovery FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups FlawedAmmyy enumerates the privilege level of the victim during the initial infection.12
enterprise T1113 Screen Capture FlawedAmmyy can capture screenshots.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FlawedAmmyy will attempt to detect anti-virus products during the initial infection.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec FlawedAmmyy has been installed via msiexec.exe.2
enterprise T1218.011 Rundll32 FlawedAmmyy has used rundll32 for execution.2
enterprise T1082 System Information Discovery FlawedAmmyy can collect the victim’s operating system and computer name during the initial infection.1
enterprise T1033 System Owner/User Discovery FlawedAmmyy enumerates the current user during the initial infection.12
enterprise T1047 Windows Management Instrumentation FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.1

Groups That Use This Software

ID Name References
G0037 FIN6 3
G0092 TA505 145

References

  1. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  2. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  4. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  5. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.