Criminals Invent Clever New Way To Plant Banking Malware

A criminal gang recently found an effective way to spread malware that drains online bank accounts. They bundled the malicious executable bug inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as 'Ammyy Admin' and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to the recent blog post, members of a Russian criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. 

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. 

What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:

Attacks of this type (known as Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. 

Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. 

Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.

Kaspersky Lab researchers say the Ammyy website has been breached several times. Even after removing the malicious code earlier this year, it somehow managed to come back. In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk.

"This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com," Kaspersky Lab researchers wrote.

The take away is that website infections can have serious consequences and are often extremely hard to remove. Sites that are caught distributing malware should probably not be trusted again.

Ars Technica

« Civil Liberties Group Crashes Thailand Government Website
Cybersecurity: The Human Dynamic »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

CNCERT/CC

CNCERT/CC

CNCERT is the national Computer Network Emergency Response Technical Team / Coordination Center of China.

4iQ

4iQ

4iQ fuses surface, social, deep and dark web sources to research and assess risks to people, infrastructure, intellectual property and reputation.

Convercent

Convercent

We offer comprehensive and integrated compliance management, reporting, and analytics. A 360-degree view of compliance drives efficiency by aligning initiatives and data into a single dashboard.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

Hornetsecurity

Hornetsecurity

Meet Hornetsecurity – Leading Cloud Email Security Provider. We protect global organizations so you can focus on what you do best.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

IT Security Jobs

IT Security Jobs

IT Security Jobs is a dedicated portal for everything related to IT professionals looking for IT Security jobs.

Horizon3.ai

Horizon3.ai

Horizon3.ai is a leader in security assessment and validation enabling continuous security overwatch from an attacker’s perspective through our NodeZero SaaS solution.

Titan Labs

Titan Labs

Titan Labs is a Cyber Security Consultancy that provides advice and technical expertise to government, international finance and telecommunications providers.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

Virtual Infosec Africa (VIA)

Virtual Infosec Africa (VIA)

Virtual InfoSec Africa (VIA) is a wholly-owned Ghanaian company specializing in information security and cybersecurity solutions and services.

SecureTeam

SecureTeam

SecureTeam are a UK-based information security practice, specialising in all areas of cybersecurity.

Diversified Search Group - Alta Associates

Diversified Search Group - Alta Associates

Diversified Search Group is an industry leader in recruiting diverse, inclusive and transformational leadership for clients.

DATS Project

DATS Project

DATS Project enables the utilization of high computing power across a number of cybersecurity services, all on a pay-as-you-go basis, eliminating the need for upfront investment costs.