The official website of the well-known Remote Desktop Software Ammyy Admin was hacked by cybercriminals and compromised to spread Lurk and different pieces of malware, stated researchers at Kaspersky Lab.
Lurk is a banking Trojan which has been targeting Russian financial institutions and other organizations for five years. Specialists calculated that it has helped the impostors steal around $45 million. 50 suspects of using the notorious malware were newly arrested in Russia which, people believed, led to the end of Lurk.
Most times the attackers use exploits to spread the threat but they also use legitimate software like in the Lurk case. A legitimate website is breached and leveraged to serve the malware and when downloading the tool you automatically get the malware as well.
Kaspersky Lab Researchers found a connection between the infected with Lurk victims as they all had the Ammyy software installed. After a detailed analysis, they found that the malware was hiding behind the name “ammyysvc.exe,” and was downloaded alongside the Ammyy installer.
Kaspersky detected Lurk on the Ammyy website for the first time in February, this year. The Ammyy administrators were immediately informed but their attempt to remove it was unsuccessful as in April the cybercriminal started using it to spread a new version of Lurk whose target was corporate networks. Ammyy developers once again tried to clean their website but the Trojan was detected again on June 1. A third attempt was made but it is still not confirmed if they have done it properly this time.
Perhaps the criminals behind Lurk hoped that most of their victims would not suspect what is going on, relying on the fact that some anti-virus programs detect the Ammyy installer as a treat, due to the many times when it has been leveraged for fraudulent purposes.
While Kaspersky found Lurk a little later, in November 2015, ESET reported that Ammyy website had been hacked by the “Buhtrap” gang in order to deliver Lurk and four other pieces of malware – hosted Corebot, Buhtrap, Ranbyus and Netwire RAT. Other reports, on the other hand, claimed that ammyy.com was breached since July 2015.
The technique of using legitimate software for malicious purposes appears to be very effective. Users do not expect to get infected while downloading from well-founded websites and ignore such possibility. That makes it much easier for the attackers to get to their victims whose numbers are constantly increasing.