2017 was a year of ransomware, primarily the WannaCry malware that made $4 billion in profits from the ransom payments of its poor victims globally. This year is a bit of a mash-up, with the rise of the cryptocurrency mining malware in prominence and the resurgence of banking trojans ready to bite its next victim. FlawedAmmy is like the dark horse of all malware for 2018, as it came under the radar of CheckPoint Research, as the most prolific RAT (Remote Access Trojan) for 2018.
New incidence of infection by FlawedAmmy was recorded for at least a couple of months. Just like other RATs of its kind, it takes control of the PC’s screenshot functionality, microphone, and camera (if those hardware types are installed). It is very dangerous to perform online banking while infected by a RAT, as it grabs the screenshot and fully monitors the activities done on the keyboard.
FlawedAmmy’s activeness in the wild made it to CheckPoint Research’s Global Threat Index, as a member of the top 10 malware of 2018. It is a unique distinction for FlawedAmmy, as it stands with the rest in the list full of cryptomining malware, worms, mobile backdoors, and trojan apps, making it stand-out list being the only RAT in the list.
“This month, we have seen a RAT enter the top ten for the first time. While we have detected several campaigns distributing the FlawedAmmy RAT in recent months, the latest campaign was easily the largest in terms of its widespread impact. While cryptominers remain the dominant threat, this may indicate that data such as login credentials, sensitive files, banking and payment information haven’t lost their lucrative appeal to cybercriminals,” explained Maya Horowitz, CheckPoint’s Group Manager for Threat Intelligence.
Having a Remote Access Trojan infection is like having an unknown remote 3rd party having physical access to the PC. It can install unauthorized apps, run arbitrary commands, track down every single keystroke done by the user and even take a picture of the person using the computer by remote controlling the webcam.
Unlike other types of malware, RATs are usually used for espionage and less than damaging the files of the physical computer. It is the ultimate spy tool, installed on a computer it records all the activities done with the operating system, the use of hardware peripherals and tracking the downloads and uploads done with the machine.
For advanced users, certain tools can be used to detect the possibility of a Remote Access Trojan installed in Windows. The two tools are the Process Explorer and Autoruns, both developed by SysInternals, a cybersecurity company that was acquired by Microsoft a decade ago.
Process Explorer is Windows Task Manager on steroids, or rather Windows Task Manager done right. Through the use of Process Explorer, all Windows processes including the hidden ones can be viewed by the user. That includes the RAT process, and through the program it can be used to actually “End Task” the RAT process, canceling it from memory. Autoruns is a super MSCONFIG, a utility where startup processes and threads can be removed safely and securely. With this tool, the RAT’s processes can be disabled from automatically running as soon as Windows is loading.