FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FlawedAmmyy has used HTTP for C2.[1] |
| Enterprise | T1001 | Data Obfuscation |
FlawedAmmyy may obfuscate portions of the initial C2 handshake.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[1] |
| Enterprise | T1120 | Peripheral Device Discovery |
FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.[1] |
|
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
FlawedAmmyy enumerates the privilege level of the victim during the initial infection.[1] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[1] |
| Enterprise | T1082 | System Information Discovery |
FlawedAmmyy beacons out the victim operating system and computer name during the initial infection.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
FlawedAmmyy enumerates the current user during the initial infection.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | |
| G0037 | FIN6 |