Website altered to serve a malware-tainted version of otherwise legitimate software with the global event in Russia acting as a smokescreen
According to ESET’s analysis, within that timeframe the website was compromised to serve a malware-tainted version of this otherwise legitimate software. To add an interesting twist to the incident, the attackers tried to hide their malicious activity behind the brand of the ongoing FIFA World Cup.
It feels almost like traveling back in time. In October 2015, the website offering a free version of Ammyy Admin software started serving malicious code connected to the cybercrime group Buhtrap. Now history repeats itself and the site seems to be compromised again. The issue was first spotted by ESET researchers shortly after midnight on June 13 and persisted until the morning of June 14.
Remote admin with Kasidet bot on the side
Users who downloaded software from ammyy.com in the aforementioned timeframe received more than just the requested software – part of the bundle was also a multipurpose Trojan and banking malware detected by ESET as Win32/Kasidet. ESET advises all potential victims to take precautionary measures and use a reliable security product to scan and clean their devices.
Win32/Kasidet is a bot that is sold in underground crime markets and is actively used by various cybercriminal groups. The build detected on the ammyy.com site on June 13 and 14, 2018 had two main goals:
- Stealing files that could contain passwords or access data for cryptocurrency wallets and accounts of the victims. It achieves this by searching for filenames that match the following masks and by sending them to the C&C server:
2. Reporting processes whose names include any of the following strings:
The URL of the command and control server, hxxp://fifa2018start[.]info/panel/tasks.php, was also interesting – it seems as if it was designed by the attackers to use the ongoing FIFA World Cup as cover for their malicious network communication.
ESET researchers spotted multiple similarities to the 2015 attack. Back then, attackers were misusing ammyy.com to serve numerous malware families, changing them on an almost daily basis. In the 2018 case, ESET systems detected only Win32/Kasidet, however, the obfuscation of the payload changed on three occasions, probably to avoid detection by security products.
Another similarity between the incidents was the identical name of the file – Ammyy_Service.exe –containing the payload. The downloaded installer AA_v3.exe may look legitimate at first sight, however the attackers have used SmartInstaller and built a new binary, which drops the Ammyy_Service.exe before installing Ammyy Admin software.
As the site has been similarly compromised in the past, ESET recommends that users run a reliable up-to-date — and updated — multi-layered antimalware solution whenever they try to download software from this website.
While Ammyy Admin is a legitimate tool, it has a long history of being misused by fraudsters. As a result, several security products, including ESET’s, detect it as a Potentially Unsafe Application. However, it is still widely used, mostly in Russia.
We notified Ammyy about the issue. As Ammyy Admin is widely used, we feel it is important to warn its users about its current security issues.
Special thanks to Jakub Souček, who pointed us to the compromise and provided the analysis.
|ESET detection names|