Security researchers discovered that visitors to the Ammyy website in late October were being served up malware along with the Ammyy Admin Remote Desktop Software that would allow the Buhtrap gang to gain control of victims' computers.
Ammyy Admin, long the tool of those committing fraud, still enjoys widespread use in Russia, according to a welivesecurity.com blog post. The Buhtrap group typically used spearphishing attacks aimed at Russian businesses—Ammyy lists among its clients Russian banks and Fortune 500 companies.The gang's Operation Buhtrap was identified by ESET researchers in 2014 and was believed to have been active for longer than a year before that.
“It is thus interesting to see them add strategic web compromises to their arsenal,” which likely signals “the closing gap between techniques used by cybercriminals and by APT actors,” the ESET researchers wrote, adding that the “website is now clean and serves the malware-free Ammyy Admin remote administrator package.”
Still for a week between Oct. 26 to Nov. 2, numerous types of malware—Corebot, Buhtrap, Ranbyus and Netwire RAT—were being distributed to unsuspecting website visitors.
“Although these families are not linked together, the droppers that might have been downloaded from Ammyy's website were the same in every case,” the blog post said. “The executable would install the real Ammyy product, but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload.”
The researchers said that could indicate the cybercriminals behind the hack may have “sold access to different groups.”