FlawedAmmy: Dangerous RAT enteres most wanted malware list

The latest Check Point Global Threat Index reveals that while cryptomining malware continues to dominate the rankings, a remote access Trojan has reached the top ten’s list for the first time.


During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions.

As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking.

Meanwhile, cryptomining malware continues to lead the Index, with Coinhive the most prevalent malware with a global impact of 18%, while Cryptoloot has risen to second on the list impacting 8% of organizations worldwide.

“This month, we have seen a RAT enter the top ten for the first time,” said Maya Horowitz, Threat Intelligence Group Manager at Check Point. “While we have detected several campaigns distributing the FlawedAmmyy RAT in recent months, the latest campaign was easily the largest in terms of its widespread impact. While cryptominers remain the dominant threat, this may indicate that data such as login credentials, sensitive files, banking and payment information haven’t lost their lucrative appeal to cybercriminals.”

Top 3 most wanted: October 2018

1. Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.

2. Cryptoloot – Cryptominer, using the victim’s CPU or GPU power and existing resources for cryptomining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.

3. Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

This month, Triada, the modular backdoor for Android has climbed to first place in the top mobile malware list. It replaces Android banking Trojan and info-stealer Lokibot, which has fallen to second place. Hiddad has made a return to the list as this month’s third most prevalent mobile malware.

Top 3 most wanted mobile malware: October 2018

1. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

2. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.

3. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

October’s most exploited vulnerabilities

Check Point researchers also analyzed the most exploited cyber vulnerabilities. Once again, CVE-2017-7269 remains in first place of the top exploited vulnerabilities list, with a global impact of 48% of organizations. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure with a global impact of 46%, followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations.

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3. Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.

Don't miss