Martijn Lammerts
My own digital place with a little of everything

Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs

31 July 2018

By Anita Hsieh, Rubio Wu, and Kawabata Kohei

Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft’s Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.


Figure 1. The volume of spam emails in July 12 and 13

From our research and analysis of spam emails sent on July 12 and 13, more than 50 percent of the email accounts that received this spam belonged to banks located in countries like Malaysia, Indonesia, Kenya, Romania, Poland, and Austria.

Infection chain

Figure 2. Infection chain of the spam campaign

The spam emails used subjects such as “invoice” or strings like “important announcement,” “copy,” “Scanned image,” “security bulletin,” and “whats this” to trick recipients. The PDF attached in the said emails contained embedded JavaScript code and a “downl.SettingContent-ms” file, similar to what ProofPoint has reported. Once the PDF file is opened by the user, the JavaScript code will trigger the SettingContent-ms file.

Once the “downl.SettingContent-ms” file is opened, Windows will run the PowerShell command inside the <DeepLink> tag, which will download the FlawedAmmyy RAT from hxxp://169[.]239[.]129[.]117/cal before executing it. This FlawedAmmyy RAT variant is the same one installed by a Necurs module on bots under bank- and POS-related user domains.


Figure 3. Spam mail sample showing a PDF attachment with JavaScript code and SettingContent-ms


Figure 4. The embedded JavaScript code that will be automatically triggered once the PDF is opened


Figure 5. The embedded “downl.SettingContent-ms” file that the JavaScript code opens


Figure 6. The JavaScript code used to open “downl.SettingContent-ms”file


Figure 7. The “downl.SettingContent-ms” file that the JavaScript code opens after it opens the PDF


Figure 8. The content of the “downl.SettingContent-ms file that contains the PowerShell command for downloading the FlawedAmmyy RAT

FlawedAmmyy RAT – the spam campaign’s connection to Necurs

Recently, Necurs has been showing interest in bots with specific characteristics. On July 12, Necurs pushed a module – a downloader of the FlawedAmmyy RAT – to its bots. The module checked if the domain name contained any of the following keywords: bank, banc, aloha, aldelo, and postilion (as seen in Figure 10). Aloha is a restaurant POS system, Aldelo is an iPad POS system, while Postilion is a solution for acquiring payments or transactions across all channels, from ATM and POS to ecommerce and mobile. It downloads and executes the final payload from hxxp://169[.]239[.]129[.]117/Yjdfel765Hs if the bot’s user domain matches Necurs’ criteria.


Figure 9. The module obtained the bot’s user domain via the cmd command echo %%USERDOMAIN%%


Figure 10. The module checks if the user domain contains any of the highlighted keywords

Trend Micro Solutions

To defend against spam and threats like Necurs, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of compromise (IoCs)

IoCIoC TypeDescription
SHA256Necurs module that checks if the bot is potentially bank- or POS-related
SHA256PDF used in the spamming campaign on July 12 and 13
SHA256FlawedAmmyy RAT dropped by the Necurs module and the spam campaign on July 12
185[.]99[.]132[.]119:443IP + PortC&C of the FlawedAmmyy RAT
hxxp://169[.]239[.]129[.]117/Yjdfel765HsURLURL used to download the FlawedAmmyy RAT in the Necurs module
hxxp://169[.]239[.]129[.]117/calURLURL used to download the FlawedAmmyy RAT in the SettingContent-ms file embedded in the PDF


The post Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs appeared first on .