Ammyy Admin site delivers drive-by-download attacks

Ammyy Admin is used for remote desktop access and the malicious installer was available for download on the product’s official website.
Ammyy Admin is used for remote desktop access and the malicious installer was available for download on the product’s official website.

Kaspersky Lab researchers spotted the Ammyy Admin site being used in drive-by-downloader attacks to install the Lurk trojan and other malware.

Ammyy Admin is used for remote desktop access and the malicious installer was available for download on the product's official website, according to a July 18 blog post. The compromised installer is a dropper trojan designed to stealthily install while displaying a screen mimicking the installation of legitimate software, the post said.

The infection was made possible because the installer didn't have a digital signature and was a NSIS (Nullsoft Scriptable Install System) archive. Researchers said the dropper was being distributed regularly over the course of several hours on weekday.

Some browsers, such as Mozilla Firefox, flagged the website as potentially dangerous and warned users about the presence of unwanted software.

Researchers reported the incident to the Ammyy Group website and the malicious code was removed however, there were three more instances in February in which their site was compromised again to distribute malware, each time the problem was solved, although only temporarily.

On June 1, researchers spotted yet another watering hole attack on the site but noted the content of the dropper had changed and that the creators of Lurk had been arrested that day.

Researchers said the new trojan was designed to steal personal information suggesting the threat actors behind the breach are offering the chance to buy a place on the Trojan dropper to spread their own malware from the compromised site.

Kaspersky once again informed the firm of the compromise but it is unclear if the issue has since been resolved.

“Human nature is to let your guard down when you feel safe,” Tripwire Senior Security Research Engineer Travis Smith told SCMagazine.com via emailed comments. “As users begin to interact with new sites, their trust begins to build over time when there are no negative consequences.”

Smith said that attackers can exploit this trust using drive-by-downloads. He said attackers can redirect and infect by either compromising websites or by leveraging malvertising attacks.

“Since many exploits rely on known vulnerabilities, the easiest prevention mechanism is to install the operating system and all application patches as soon as possible,” Smith said.

Enterprises need to employ stronger security practices around fundamental security solutions to ensure their sites aren't compromised, Proficio President Tim McElwee told SCMagazine.com via emailed comments.

“Surprisingly, we've seen many enterprises who haven't deployed all the fundamental, yet critical security defenses, including firewall, a/v, IDS/IPS,” McElwee said. “Ensuring that the fundamental security solutions are part of your enterprise security practice is critical.”

That tactic, he said, would create a more complete picture of attack and how a security team should respond.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS