FlawedAmmyy
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FlawedAmmyy has used HTTP for C2.(Citation: Proofpoint TA505 Mar 2018) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FlawedAmmyy has established persistence via the `HKCU\SOFTWARE\microsoft\windows\currentversion\run` registry key.(Citation: Korean FSI TA505 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FlawedAmmyy has used PowerShell to execute commands.(Citation: Korean FSI TA505 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
FlawedAmmyy has used `cmd` to execute commands on a compromised host.(Citation: Korean FSI TA505 2020) |
||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FlawedAmmyy has used SEAL encryption during the initial C2 handshake.(Citation: Proofpoint TA505 Mar 2018) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
FlawedAmmyy can execute batch scripts to delete files.(Citation: Korean FSI TA505 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
FlawedAmmyy can collect keyboard events.(Citation: Korean FSI TA505 2020) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
FlawedAmmyy enumerates the privilege level of the victim during the initial infection.(Citation: Proofpoint TA505 Mar 2018)(Citation: Korean FSI TA505 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FlawedAmmyy will attempt to detect anti-virus products during the initial infection.(Citation: Proofpoint TA505 Mar 2018) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
FlawedAmmyy has been installed via `msiexec.exe`.(Citation: Korean FSI TA505 2020) |
| .011 | System Binary Proxy Execution: Rundll32 |
FlawedAmmyy has used `rundll32` for execution.(Citation: Korean FSI TA505 2020) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 |
(Citation: Visa FIN6 Feb 2019) |
| G0092 | TA505 |
(Citation: Proofpoint TA505 Mar 2018) (Citation: Trend Micro TA505 June 2019) (Citation: Proofpoint TA505 October 2019) |
References
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
- Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.