Ammyy Admin site found pushing banking malware, uses World Cup as cover

Cybercriminals managed to again compromise the Ammyy Admin website, this time on June 13 and 14 they managed to have it serve malware in addition to the site's legitimate free remote administration tool.

The malware involved was Kasidet, described by ESET researchers as a multipurpose trojan and banking malware and usually connected to the cybergroup Buhtrap. To further obfuscate their actions the malicious actors' command and control server URL contained the phrase “fifa2018” as a possible cover or a way to throw investigators off their track.

The June incident had several similarities to one against Ammy Admin in 2015. In each case, the file serving the malware had the same name, Ammyy_Service[.]exe, and in each case the attacker made multiple changes to the malware while the site was compromised.

ESET noted it has informed Ammyy Admin of the issue.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.