Criminals Invent Clever New Way To Plant Banking Malware

Uploaded on 2016-07-25 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

A criminal gang recently found an effective way to spread malware that drains online bank accounts. They bundled the malicious executable bug inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as 'Ammyy Admin' and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to the recent blog post, members of a Russian criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. 

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. 

What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:

Attacks of this type (known as Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. 

Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. 

Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.

Kaspersky Lab researchers say the Ammyy website has been breached several times. Even after removing the malicious code earlier this year, it somehow managed to come back. In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk.

"This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com," Kaspersky Lab researchers wrote.

The take away is that website infections can have serious consequences and are often extremely hard to remove. Sites that are caught distributing malware should probably not be trusted again.

Ars Technica

« Civil Liberties Group Crashes Thailand Government Website
Cybersecurity: The Human Dynamic »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

IPN (ICT Research Platform Nederlands)

IPN (ICT Research Platform Nederlands)

IPN promotes academic research and education in the ICT field by building and maintaining a national community, and by developing policy to advance the field. Areas of focus include Cyber Security.

Harel Mallac Technologies

Harel Mallac Technologies

Harel Mallac Technologies is a Mauritian organisation that has developed a strong network of ICT specialists with nodes across the African continent.

MagicCube

MagicCube

MagicCube is a device independent IoT security platform that protects against on-device, cloud, and network attacks.

Blockchains LLC

Blockchains LLC

Blockchains is committed to changing the world for the better. Using blockchain and other innovative technologies, we’ll build new systems, new security, and new interactions.

Privafy

Privafy

Privafy helps mobile service providers, IoT manufactures , and enterprises redefine the way they protect Data-in-Motion.

Cyvatar

Cyvatar

Cyvatar is a technology-enabled cyber security as a service (CSaaS) provider delivering smarter managed security to help you achieve compliance and security faster and more efficiently.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

Ascent Solutions

Ascent Solutions

Ascent is built to help firms evolve their cybersecurity posture, modernize their Microsoft solutions, and accelerate their journey to the cloud.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

SalvageData Recovery Services

SalvageData Recovery Services

Since 2003, SalvageData has been providing high-quality data recovery with the certifications needed to work with any storage media manufacturer.

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group) is a USA based digital transformation company with expertise in Mobile, Cloud, Web, IoT, AR, RPA, Cyberseurity and AI Technologies.

Heritage Cyber World

Heritage Cyber World

Heritage Cyber World is a one stop solution for all your security needs that brings together a team of security experts and analysts to deliver high-class security services.

Helix Tech Consulting

Helix Tech Consulting

Helix Tech have expertise in a wide range of technology areas, including IT strategy, infrastructure design, cybersecurity, disaster recovery, cloud, data centers, IT cost optimization, and more.