TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT

Overview

Threat actors regularly introduce novel vectors for distributing malware and especially prize those that allow code and command execution with minimal user interaction. Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats. Specifically, this file format currently allows execution of commands such as cmd.exe and PowerShell without prompts or user interaction.

Since the original publication of this approach, Proofpoint researchers have observed a number of actors -- “early adopters” -- abusing this file format by embedding it inside Microsoft Word and PDF documents. While the combination of the technique with the Microsoft Word container was described in the initial research, embedding inside PDFs has not been documented and likely originated with another source.

Campaign Description

We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file. The messages in the campaign used a simple lure asking the user to open the attached PDF (Figure 1).

Figure 1: Example message used to deliver the malicious PDF

When opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Note that this prompt would be displayed for any file format embedded within a PDF, and is not caused by the SettingContent-ms file itself (Figure 2).

Figure 2: Adobe Reader presenting the user with a prompt to open the SettingContent-ms file

If the intended victim clicks the “OK” prompt to open the file, Windows would then run the SettingContent-ms file and the PowerShell command contained within the “DeepLink” element (Figure 3), which leads to the download and execution of the FlawedAmmyy RAT.

Figure 3: The SettingContent-ms file that contains the malicious PowerShell command

Attribution

This campaign is noteworthy because we attribute it with high confidence to a financially motivated actor we refer to as TA505 [3,4]. TA505 tends to operate at very large scale and sets trends among financially motivated actors because of their reach and campaign volumes. Our attribution is based on email messages, as well as payload and other identifying characteristics.

Conclusion

Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain. In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale. We will continue to monitor ways in which threat actors use this approach in the weeks to come.

References

[1] https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

[2] https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

[3] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

[4] https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times

Indicators of Compromise (IOCs)

ET and ETPRO Suricata/Snort/ClamAV Signatures

2025408 || ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin