Buhtrap gang distributes malware through Ammyy’s remote desktop software
ESET has uncovered several examples of malware being distributed via a strategic web compromise. Recently, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also malware.
Researchers noticed in late October that, for about a week, visitors to ammyy.com were downloading an installer that contained malware along with the Ammyy product. While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters, and several security products detect it as a Potentially Unsafe Application.
Similarly, Download.com, a major download site, doesn’t provide a direct-download link to Ammyy software to users, instead listing the Ammyy Admin page for information purposes only. However, Ammyy Admin is still widely used: Ammyy’s website lists clients that include TOP500 Fortune companies as well as Russian banks.
According to the investigation, five different malware families were distributed through Ammyy’s website during the recent incident. The first malware, the Lurk downloader, was distributed on October 26. Next was Corebot on October 29, then Buhtrap on October 30, and finally Ranbyus and Netwire RAT on November 2.
Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case. Thus it is quite possible that the cybercriminals responsible for the website hack sold the access to different groups.
Of the malware distributed via Ammyy’s website, of particular interest is the install package used in Operation Buhtrap.
“The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so called Advanced Persistent Threats,” said Jean-Ian Boutin, Malware Researcher at ESET.