Criminals Invent Clever New Way To Plant Banking Malware

Uploaded on 2016-07-25 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

A criminal gang recently found an effective way to spread malware that drains online bank accounts. They bundled the malicious executable bug inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as 'Ammyy Admin' and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to the recent blog post, members of a Russian criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. 

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. 

What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:

Attacks of this type (known as Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. 

Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. 

Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.

Kaspersky Lab researchers say the Ammyy website has been breached several times. Even after removing the malicious code earlier this year, it somehow managed to come back. In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk.

"This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com," Kaspersky Lab researchers wrote.

The take away is that website infections can have serious consequences and are often extremely hard to remove. Sites that are caught distributing malware should probably not be trusted again.

Ars Technica

« Civil Liberties Group Crashes Thailand Government Website
Cybersecurity: The Human Dynamic »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

WireX Systems

WireX Systems

WireX is an innovative network intelligence and forensics company that is changing the way businesses resolve cyber-attacks.

Cyber Security National Lab (CINI)

Cyber Security National Lab (CINI)

The Cyber Security National Lab brings together Italian academic excellence in Cyber Security research.

Soracom

Soracom

Soracom offers secure, scalable, cloud-native connectivity developed specifically for the Internet of Things.

RedLock

RedLock

The RedLock Cloud 360TM platform correlates disparate security data sets to provide a unified view of risks across fragmented cloud environments.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

ValidSoft

ValidSoft

ValidSoft is a security software company, providing telecommunications-based multi-factor authentication, identity and transaction verification technology.

Avertro

Avertro

Avertro helps leaders manage the business of cyber. We help explain cybersecurity to executives, forecasting outcomes, right-sizing your spend, and validating your cyber strategy.

CryptoDATA

CryptoDATA

CryptoDATA develops products and services based on Blockchain technology, that ensure user security and data encryption, applicable in various fields.

KCS Group Europe

KCS Group Europe

KCS Group helps its clients to identify and deal with any risks, weaknesses and threats which could impact on the business financially or reputationally.

CXI Solutions

CXI Solutions

CXI Solutions: Your trusted partner in cybersecurity. We offer a full range of cybersecurity solutions to protect your business from digital attacks and virtual threats.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

Lansafe

Lansafe

Lansafe stands as a leading managed service provider in the UK, seamlessly integrating IT, Telecoms, Security, Electrical and Cyber Security solutions.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.

GlassHouse Technology

GlassHouse Technology

GlassHouse supports customers in their digitalization journey with our deep technical expertise in Managed Cloud and Security Services, SAP Infrastructure Service and Business Continuity Services.

RESTIV Technology

RESTIV Technology

RESTIV Compliance Copilot is your partner in continuous compliance. Real-time monitoring, continuous testing, and transparent evidence—no surprises, just peace of mind.