Always be cautious while opening email attachments. Recently, hackers have been sending weaponized PDFs containing malicious SettingContent-ms files containing FlawedAmmyy RAT, reported by researchers at SecurityOps. SettingContent-ms file opens the Control Panel for the user. The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?
When we double-click this file, it will directly run all the commands within the <DeepLink> tag without opening the Command Prompt. This gives liberty to cyber criminals for executing any commands they want when the user opens the PDF or Word file infected by this malware.
And it has been designed to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats. Directly making any end user open such Setting Content file is challenging for the hackers, so they embed these into simpler email attachments like PDFs and Word files which people feel are harmless and always click them.
When opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript, as it would for any file format embedded within a PDF. If the intended victim clicks the “OK” prompt, and the PowerShell command contained within the <DeepLink> element deploys the FlawedAmmyy RAT, which, while active since 2016, only hit researcher radar screens earlier this years.
“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more,” Proofpoint researchers said in a blog on the discovery back in March. “We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.”
TA505, responsible for the mass distribution of malicious spam campaigns is being exploited to spread FlawedAmmyy RAT.