AndroMut

AndroMut is a Trojan downloader that can install other threats onto your computer. Its attacks are associated with TA505, a threat actor that targets the financial sector and other, business entities with for-profit motives, such as holding files for ransoms. Abiding by good security practices while interacting with e-mails will help avert infections, and any systems with appropriate anti-malware protection should remove AndroMut automatically.

An Ominous Galaxy Drifts into New Skies

The Andromeda Trojan of old's code is being seen in new places, thanks to the prolific TA505 threat actor. While this for-profit group of hackers remains money-oriented in its campaigns, the summer of 2019 is showing a change in the tune of how it deploys Trojans. AndroMut is emerging as the 'delivery man' of the season, although its goods are no more than an already well-analyzed RAT.

AndroMut's name is a portmanteau of Andromeda and 'mutshellmy777,' the mutex that the Trojan generates during its setup. Malware researchers can confirm infection incidents in the United States and smaller countries throughout the Middle East and Southeast Asia, targeting financial institutions via disguised e-mail attachments. The user downloads and opens a Word DOC or a Web page that links to one, with the document harboring a corrupted macro for installing AndroMut.

As a Trojan downloader, AndroMut downloads and installs other threats onto the computer, although malware analysts can't confirm any payloads besides FlawedAmmyy – a long-running tool in TA505's arsenal that provides a remote desktop and file system-controlling features for the attackers. More interestingly, for the PC security industry, AndroMut includes numerous anti-analysis defenses. It checks for mouse movement, sandboxes, debuggers, Wine emulators, and other, telltale signs of an analysis environment, along with using concealment techniques like zeroing memory, API hashing AES encryption.

Cleaning Your Horizon of Hostile Starlight

While AndroMut is a brand-new Trojan, with evading security utilities as a primary focus, workers still have opportunities for averting infections in all cases. Appropriate precautions that should block all of AndroMut's current-use infection techniques include:

• Leaving macros disabling will prevent the download exploit from triggering and installing AndroMut. Modern versions of Word will disable macros automatically unless the user chooses otherwise, and users should patch out-of-date installations of that software to the latest version immediately.
• Having your security products scan suspicious documents that fit TA505's phishing templates should detect the threatening content and flag the file as a threat. Users can expect phishing lures of containing content that's tailor-made for the company that's under attack, including region-specific language and topical text related to the industry in question.

Although AndroMut's purpose is delivering other threats, it also establishes long-term system persistence for itself. It may either use a scheduled Windows task for a Recycle Bin-hidden LNK file or a more traditional, Registry entry. Victims should have anti-malware tools scan the infected PC until the software removes AndroMut and all other threats, such as the FlawedAmmyy RAT.

For TA505, Trojans are a money-making business, and AndroMut is another way of delivering cash into their hands. As new as the Trojan might be, malware experts find it worth emphasizing that AndroMut can do little without the help of victims who enable risky content despite knowing better.