Cybercriminals managed to again compromise the Ammyy Admin website, this time on June 13 and 14 they managed to have it serve malware in addition to the site's legitimate free remote administration tool.
The malware involved was Kasidet, described by ESET researchers as a multipurpose trojan and banking malware and usually connected to the cybergroup Buhtrap. To further obfuscate their actions the malicious actors' command and control server URL contained the phrase “fifa2018” as a possible cover or a way to throw investigators off their track.
The June incident had several similarities to one against Ammy Admin in 2015. In each case, the file serving the malware had the same name, Ammyy_Service[.]exe, and in each case the attacker made multiple changes to the malware while the site was compromised.
ESET noted it has informed Ammyy Admin of the issue.