The malware only affects Windows systems.
Two campaigns were observed downloading FlawedAmmyy, one targeting South Korea and using a Microsoft Office file containing macros that then ran a Msiexec command to bring in the FlawedAmmyy RAT.
The second campaign was aimed at financial institutions in Singapore, the UAE and the US. In this case, a Microsoft Word or Microsoft Excel file used macros to run commands that resulted in the malware being downloaded.
Asked about the origins of TA505, a Proofpoint spokesperson told iTWire that its researchers had assessed with medium confidence that the individuals known as TA505 were originally from Eastern European countries.
"But they have no knowledge that TA505 is a state actor," the spokesperson added.
Proofpoint has tracked TA505 for some time and in January reported that the actor had begun to distribute a new Windows backdoor named ServHelper.