Kaspersky Lab researchers trace infection route to ammyy.com RATs
Kaspersky Lab researchers trace infection route to ammyy.com RATs
Researchers at Kaspersky Lab have found that the Lurk banking Trojan was propagated by cyber-criminals in some cases using legitimate software to widen its distribution potential. Users downloading and installing genuine remote access software from ammyy.com will have been affected, if not infected,  since early February 2016.

Moscow based researchers at Kaspersky say that they believe that attackers used weaknesses in the Ammyy Admin website security system, in order to add the malware to the installation archive of the remote access software.

A whammy for Ammyy

Ammyy itself is a piece of zero-configuration free remote desktop software. It is used for system administration, webinars and instant remote desktop connection over the Internet. The company's own unusually presented press pages carry no alerts concerning this threat.

The Lurk Trojan is distinctive in that its malicious code is not stored on the victims' computer but in Random Access Memory (RAM). Lurk has infected a range of legitimate media and news centric websites with exploits. A victim simply had to visit a compromised webpage to become infected with the Lurk Trojan.

The Lurk ‘group' or ‘gang' was arrested in Russia in the beginning of June 2016 after stealing an estimated 3 billion rubles (£34 million) from banks, businesses and other financial institutions in the country.

According to Kaspersky's initial analysis of Lurk, once inside the victim's PC, the malware would start to download additional malicious modules that enabled it to steal the victim's money. In order to hide their traces behind VPN-connection, the criminals also hacked into various IT and telecom companies, using their servers to remain anonymous.

Watering hole attacks

Kaspersky has described a variety of different malicious techniques used by Lurk to propagate the malware. Prevalent among the attack types used were

watering hole attacks where attackers observe target websites popular with their target prey. Once a targeted group of users is identified, attackers will look for look for opportunities to infect the website or websites with malware that typically might inject malicious JavaScript of HTML code.

While running a technical analysis of Lurk, Kaspersky Lab experts noticed that many of the victims had remote desktop tool Ammyy Admin installed on their computers. This tool is quite popular among business system administrators, as it makes it possible for them to work with their organisation's IT infrastructure remotely.

But what is the connection between the tool and the malware?  

To answer this question, Kaspersky Lab experts went to the official Ammyy Admin website and tried to download the software. They succeeded, but analysis of the software from the website showed that, along with the clean legitimate remote access tool, the Lurk trojan had also been downloaded.

IT service specialist overconfidence?

According to Kaspersky, the thinking behind this strategy was clear: the victim was unlikely to notice the malware installation because, due to the nature of remote access software, it is treated as malicious or dangerous by some AV solutions. Knowing that IT service specialists inside businesses do not always pay proper attention to warnings from security solutions, many would treat it as a false positive if detected by their AV solution. Users did not realise that malware had in fact been downloaded and installed onto their machines.”

Vasily Berdnikov, malware analyst at Kaspersky Lab has commented to say that using legitimate software for criminal purposes is a highly effective malware propagation technique.

“First of all, because cyber-criminals are able to play with users' perceptions about the safety of the legitimate software they are downloading. By downloading and installing software from well-known developers, users do not think about the possibility that there may be malicious attachments involved. This makes it much easier for cyber-criminals to gain access to their targets and significantly increases their number of victims,” said Berdnikov.

Wider opinions on these techniques

Also vocal on this story was Chris Hodson, CISO EMEA at Zscaler who said that the Ammyy Admin watering hole attack is not the first instance he has seen of a purportedly legitimate site being used to deliver malware. Hodson reminds us that the XCodeGhost malware of 2015 showed us that no one is immune from the reaches of cyber-criminals in their quest to deliver malicious code to users.

“[In the case of appyy] a secure software development methodology is not always easy to implement. It could be that malicious code was repeatedly uploaded through vulnerabilities that existed in the underlying OS and application stack, which hosted the site. PHP code on the website was then manipulated to ensure that the malicious binary was downloaded along with the legitimate application,” explained Hodson.

He asserts that what is clear is that the cyber-criminals were looking for more than kudos. The dropper file actually checks to see if the machine in question is attached to a corporate network - only then would it launch the Lurk malware.

“As with most attacks, user awareness plays a huge part. The malware in question was not digitally signed. A vigilant user could have picked this up although it is more realistic to expect the organisation to block the running of unsigned executables,” said Hodson.

Zscaler's advice to organisations hinges around the need to implement an in-depth, defensive approach when it comes to preventing these types of attacks. Signed or otherwise, if some form of sandboxing/malware analysis engine was in-line with the user traffic, the executable would have been detonated and inspected before installing on the user's machine.