If you downloaded Ammy Admin, you may be harboring malware. Users of ‘Ammyy Admin’ may have been unwittingly downloading malware along with their remote desktop software tools.
A group known as the Buhtrap gang is using the malware to spy-on and control victims’ computers as part of a series of targeted attacks, security firm ESET warns.
This demonstrates that fraudsters are increasingly following the ideas and techniques of the more advanced cyberspies.
The malware is being distributed via a web compromise. Since late October, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also various malware packages.
Jean-Ian Boutin, a malware researcher at ESET, commented: “The fact that cyber-criminals now use strategic web compromises is another sign of the gap closing between techniques used by cyber-criminals and by actors behind so-called Advanced Persistent Threats.”
The cyber crooks served up a Lurk downloader before dishing out Corebot and switching to Buhtrap by the end of October. The Ranbyus and Netwire RAT malware strains were served one after the other at the start of November.
“Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case,” ESET explains. “Thus it is quite possible that the cyber-criminals responsible for the website hack sold the access to different groups.”
Ammyy Admin is a legitimate software package (used by top corporations and Russian banks, among others) even though it has a history of being abused by fraudsters. Several security software firms now classify Ammyy as a potentially unwanted app.
If you have ‘Potentially Unwanted Application” detection enabled in your endpoint protection, Ammyy download should be blocked – it will if you run ESET for protection.