The website of the company that develops the popular remote administration software Ammyy Admin has been repeatedly compromised in the last year or so, and users who downloaded the tool were saddled with malware.
First it was the Lurk banking Trojan that was bundled with the remote administration tool. Then, after June 1, the Fareit info-stealing Trojan.
The change coincided with the news that the creators of Lurk had been arrested, making Kaspersky Lab researchers believe that whoever is behind the repeated compromises of the Ammyy Admin (ammy.com) website is getting paid by malware creators to spread their malicious wares.
The researchers discovered this malware-spreading approach when they realized that victims of the Lurk Trojan more often than not had also Ammyy Admin installed on their machines.
“It turned out that on the official site of Ammyy Admin (which is used for remote desktop access) there was an installer that did not have a digital signature and was an NSIS archive,” they noted.
The installer downloaded and installed both the malware and the legitimate tool. And as Ammyy Admin is often flagged as potentially unwanted software by AV solutions, this likely helped to make the actual malware pass unnoticed.
This “watering hole” approach to malware delivery is extremely effective, and this campaign is doubly so because the individual or the group behind the site’s compromise made sure not to “offer” the malware all the time and to all visitors.
It was offered regularly, for periods of several hours on weekdays.
“In early April, the cybercriminals uploaded a new, slightly modified dropper for distribution. At launch, it used the function GetComputerNameExA to check if the computer being infected was part of a corporate network; if so, it launched the Lurk malicious program along with the remote administration tool. This shows that the cybercriminals were specifically hunting for corporate workstations and servers,” the researchers found.
Ammy Group was repeatedly warned about the compromised website, and they repeatedly cleaned it up, but the attackers found their way into it again and again.
Either the company is doing an especially lousy job at keeping their assets secure, or they are in on the scam – I can see no other explanation.
And while all these repeated compromises were happening, the company never mentioned anything about them on the website, nor have they put up a warning saying that people who have downloaded their software have likely been infected with malware.