Throughout 2018, Proofpoint researchers observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functioned as a downloader.
In June 2019, TA505 appears to have introduced yet another new downloader malware, AndroMut, which has some similarities in code and behavior to Andromeda, a long-established malware family. Proofpoint research has observed AndroMut download malware referred to as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy.
Proofpoint researchers observed two distinct campaigns by TA505 that used AndroMut to download FlawedAmmyy.
The first campaign used the following message details to target recipients in South Korea:
- 쌍용 인보이스 1234
- 송금증 $123.12
- 20.06.2019 송금증 123.12.doc
- 20.06.2019 송금증 123.12.xls
- 20.06.2019 송금증 123.12.htm
- 20.06.2019 송금증 123.12.html
- “Kim, DongHoon (Dongtan_Con)”
The HTM or HTML attachments contained links to the download of an Office file. Depending on the specific case, the delivered Word or Excel file used macros to execute a Msiexec command that would download and execute either the FlawedAmmyy loader or AndroMut. In the cases that involved AndroMut, Proofpoint researchers observed it downloading FlawedAmmyy.
Figure 1: Example TA505 email used to deliver AndroMut
Figure 2: Example TA505 document used to deliver AndroMut
The second campaign targeted recipients at financial institutions in Singapore, UAE, and the USA. The message lures used the following details:
- Mir Imran Medhi
- Invoice & DOs
- Ong Kai Chin
- Profoma Invoice_1234
- Rejeesh Aj
- request for holding cheque
Again, depending on the specific case, the delivered Word or Excel file used macros to execute a Msiexec command that would download and execute either the FlawedAmmyy loader or AndroMut. In the cases that involved AndroMut, we observed it downloading FlawedAmmyy.
Figure 3: Example TA505 email with attachments used to deliver AndroMut
AndroMut Malware Analysis
AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda  and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.
Windows API Calls
The malware resolves most of its Windows API calls at runtime by hash. The hashing algorithm is called “ror13AddHash32Dll” by FireEye  and it rotates right (ROR) each character of the DLL and API name by 13 then adds them together. Some example API hashes are:
- lstrcpyW – 0xE33D73B4
- CreateMutexW – 0x95898DFF
- socket – 0xED83E9BA
AndroMut decrypts strings in one of two ways:
- The encrypted string is base64-decoded then decrypted with AES-256 in ECB mode. Each string has its own key and they look like 32-byte hex strings (Figure 4).
Figure 4: Example of Type 1 Encrypted Strings
- The encrypted string is stored as a stack string. Each string decrypts by performing a unique math problem — we were unable to observe any compelling patterns in the mathematics. Figure 5 shows an example of the string “cmd /C” being decrypted. An equivalent Python snippet of the code is available on Github .
Figure 5: Example of Type 2 Encrypted String
In addition to Windows API hashing and string encryption, AndroMut uses the following anti-analysis techniques:
- Checks for sandboxing by looking for the following process names:
- cmdvirth.exe (COMODO)
- SbieSvc.exe (Sandboxie)
- VMSrvc.exe (Virtual PC)
- xenservice.exe (Xen)
- Checks for mouse movement
- Checks for the Wine emulator by looking for the “HKEY_CURRENT_USERSOFTWAREWine” subkey in the Registry
- Checks for debuggers by looking for debugging flags set in the NtGlobalFlag field of its Process Environment Block (PEB)
- Checks for debuggers by setting a “Puleg” mutex, setting the HANDLE_FLAG_PROTECT_FROM_CLOSE flag on the mutex handle, then trying to close the handle
- Explicitly zeroing memory after using important data
Depending on user privileges the malware creates persistence by either scheduling a task that executes a created LNK file in the Recycle Bin or via the “Registry run” method.
AndroMut contains five configuration pieces and stores them as type 1 encrypted strings:
- Command and control (C&C) host
- C&C port
- C&C URI
- Encryption key used in C&C
- JSON key used in C&C
Command and Control
The URL is constructed from the configuration and C&C communication is established using HTTP POST requests. An example response to such a request is depicted in Figure 6:
Figure 6: Example C&C response
Request and response data are both JSON objects that contain the configured JSON key (in the analyzed sample, the key was “w”). The key values can be decrypted by hex-decoding and decrypting with AES-256 in ECB using the configured C&C key (in the analyzed sample, the key was “736769476A5162373558736B71703962”).
An example plaintext request looks like:
“tid”: “<16 uppercase hex digits>”
It is a JSON object that contains a data key which contains the following keys:
- tid – Bot ID
- os – Windows version
- arch – “true” indicates x64
- rights – “true” indicates admin privileges
- cmd – Command response code
An example plaintext response looks like:
The “status” key maps to different commands. The rest of the keys are command-specific arguments. AndroMut is able to execute the following commands:
- 100 – Remove self and exit
- 200 – Initial beacon response. Argument is not used and appears to be random padding
- 300 – Base64 decodes the “data” value, saves it the %TEMP% directory using the “name” value, then executes it with the CreateProcessW Windows API. See below for an example:
Other “status” codes include:
- 301 – Similar to “300” command, but executes the file using “cmd[.]exe [/]C”
- 302 – Similar to “300” command, but executes the file using the LoadLibraryEx Windows API
- 303 – Update self
At the time of publication Proofpoint researchers have only seen AndroMut deliver the FlawedAmmyy Remote Access Trojan (RAT)  in the above TA505 campaigns.
Similarity to Other Malware
While Proofpoint researchers believe that AndroMut is a new malware family, it is worth mentioning in passing that some of its analysis felt familiar. Proofpoint has observed some low-confidence overlaps between it and two other malware downloaders: Andromeda  and QtLoader  . The research into the latter malware also noted some similarities to Andromeda.
TA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with their campaigns through the end of 2017 and into 2018. Over the last two years, Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans. With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern. The new AndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet for the summer of 2019.
Indicators of Compromise (IOCs)
TA505 Excel File
TA505 Excel File
TA505 Excel File
TA505 Excel File
ET and ETPRO Suricata/Snort Signatures
2836975 ETPRO TROJAN AndroMut Checkin