Criminals Invent Clever New Way To Plant Banking Malware

Uploaded on 2016-07-25 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

A criminal gang recently found an effective way to spread malware that drains online bank accounts. They bundled the malicious executable bug inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as 'Ammyy Admin' and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to the recent blog post, members of a Russian criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. 

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. 

What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:

Attacks of this type (known as Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. 

Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. 

Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.

Kaspersky Lab researchers say the Ammyy website has been breached several times. Even after removing the malicious code earlier this year, it somehow managed to come back. In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk.

"This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com," Kaspersky Lab researchers wrote.

The take away is that website infections can have serious consequences and are often extremely hard to remove. Sites that are caught distributing malware should probably not be trusted again.

Ars Technica

« Civil Liberties Group Crashes Thailand Government Website
Cybersecurity: The Human Dynamic »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Booz Allen Hamilton

Booz Allen Hamilton

Booz Allen Hamilton is a management & tech consulting firm. Technology services include cloud computing, cyber security, systems development and integration.

Intelligence-sec

Intelligence-sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry.

Daon

Daon

Daon offers a universal biometric authentication platform for mobile devices.

SRI International

SRI International

SRI International is a research institute performing client-sponsored R&D in a broad range of study areas including computing and cybersecurity.

MIT Internet Policy Research Initiative (IPRI)

MIT Internet Policy Research Initiative (IPRI)

IPRI's mission is to work with policy makers and technologists to increase the trustworthiness and effectiveness of interconnected digital systems

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

WetStone Technologies

WetStone Technologies

WetStone develops software solutions that support investigators and analysts engaged in eCrime Investigation, eForensics and incident response activities.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

SterlingRisk Programs

SterlingRisk Programs

SterlingRisk’s Cyber practice brings experience working with a wide array of clients across a broad spectrum of industries.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

CSIR Information & Cybersecurity Research Centre

CSIR Information & Cybersecurity Research Centre

The CSIR Information & Cybersecurity Research Centre focuses on research, development, and innovation of home-grown cyber and information security.

Secjur

Secjur

Secjur is a provider of AI-based compliance tools that aim to put compliance, data protection, information security and whistleblowing on autopilot.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.