If you seek … trojans
Crooks have once again targeted users downloading Ammyy’s remote access software as a conduit for spreading malware.
The tactic – which has been witnessed before, specifically in the infamous Lurk banking trojan – has been in play since early February, 2016.
Ammyy Admin is a legitimate software package (used by top corporations and Russian banks, among others), even though it has a history of being abused by fraudsters, including tech support phone scammers.
Several security software firms classify Ammyy as a potentially unwanted app.
Ammyy developers had managed to remove the malware at the time of publication.
Researchers at Kaspersky Lab reckon that attackers used weaknesses in the Ammyy website in order to add the malware to the installation archive of the legitimate remote access software.
“The thinking behind this strategy was clear: the victim was unlikely to notice the malware installation because, due to the nature of remote access software, it is treated as malicious or dangerous by some AV solutions,” Kaspersky Lab researcher Vasily Berdnikov explains in a post on KL’s Securelist blog.
Kaspersky Lab experts informed the website owners about the incident immediately after spotting it in February, and the problem was resolved, only to briefly flare up again in April for the same issue.
Alleged members of the Lurk gang – suspected of stealing an estimated $45m (3 billion rubles) – were arrested in Russia at the beginning of June, 2016.
Just before this arrest, Kaspersky Lab detected a different strain of malware – the Fareit trojan – on the Ammyy website, which has since been cleared of malware.
Users of Ammyy Admin may have been unwittingly downloading malware along with their remote desktop software well before that latest run of malfeasance. Last year, ESET warned that surfers were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also various malware packages, such as the Buhtrap banking trojan and Lurk.
El Reg has contacted Ammyy’s developers for comment. ®
Sponsored: Global DDoS threat landscape report