New ESET research shows that users of Ammyy Admin, a popular free remote desktop software, have been unwittingly downloading malware along with the Ammyy product. The malware is used by the buhtrap gang to spy on and control their victims’ computers.
While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters. However, it is still widely used and clients include TOP500 Fortune companies as well as Russian banks.
Operation Buhtrap is still ongoing and new updates are regularly coming from the malware’s authors. This group, in much the same way as the Carbanak gang, is using techniques that we are accustomed to see in targeted attacks. The fact that they now use strategic web compromises is another sign of the closing gap between techniques used by cybercriminals and by APT actors.
ESET has uncovered several examples of malware being distributed via a strategic web compromise. In late October and early November this year, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also malware.
ESET researchers noticed in late October that, for about a week, visitors to ammyy.com were downloading an installer that contained malware along with the Ammyy product. While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters and several security products, such as ESET's, detect it as a Potentially Unsafe Application.
Similarly, Download.com, a major download site, doesn’t provide a direct-download link to Ammyy software to users, instead listing the Ammyy Admin page for information purposes only. However, Ammyy Admin is still widely used: Ammyy’s website lists clients that include TOP500 Fortune companies as well as Russian banks.
According to the ESET investigation, five different malware families were distributed through Ammyy’s website during the recent incident. The first malware, the Lurk downloader, was distributed on October 26. Next was Corebot on October 29, then Buhtrap on October 30, and finally Ranbyus and Netwire RAT on November 2. Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case. Thus it is quite possible that the cybercriminals responsible for the website hack sold the access to different groups.
Of the malware distributed via Ammyy’s website, of particular interest is the install package used in Operation Buhtrap.
“The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so called Advanced Persistent Threats,” said Jean-Ian Boutin, Malware Researcher at ESET.