Criminals Invent Clever New Way To Plant Banking Malware

Uploaded on 2016-07-25 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

A criminal gang recently found an effective way to spread malware that drains online bank accounts. They bundled the malicious executable bug inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as 'Ammyy Admin' and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to the recent blog post, members of a Russian criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. 

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. 

What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:

Attacks of this type (known as Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. 

Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. 

Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.

Kaspersky Lab researchers say the Ammyy website has been breached several times. Even after removing the malicious code earlier this year, it somehow managed to come back. In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk.

"This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com," Kaspersky Lab researchers wrote.

The take away is that website infections can have serious consequences and are often extremely hard to remove. Sites that are caught distributing malware should probably not be trusted again.

Ars Technica

« Civil Liberties Group Crashes Thailand Government Website
Cybersecurity: The Human Dynamic »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

Engineering Group

Engineering Group

Engineering is the Digital Transformation Company, a leader in Italy and with over 80 offices across Europe, the United States, and South America.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

SafenSoft (SnS)

SafenSoft (SnS)

SafenSoft delivers high-efficiency, low-impact proactive protection against malware, insider threats, and confidential data leakage.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

Tessian

Tessian

Tessian (formerly CheckRecipient) is a next-generation email security platform that helps enterprises counteract human error and significantly reduce the risk of data loss.

Digital Transformation EXPO (DTX)

Digital Transformation EXPO (DTX)

Digital Transformation EXPO showcases the latest technology and insight from the world’s leading brands and experts in DX.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Akito

Akito

Akito was set up to become a point of reference in the ICT market for issues related to Security and in particular Cyber Security.

Cloud Seguro

Cloud Seguro

Cloud Seguro are leaders in the development of cloud solutions, Ethical Hacking, Privacy and Information Security.

Circle Security

Circle Security

Circle’s breakthrough security API unifies solutions for identity and data security into one architecture and empowers organizations to secure their identity, data and privacy in their applications.

Cybervergent

Cybervergent

Cybervergent (formerly Infoprive) are a leading cybersecurity technology company in Africa. We provide cybersecurity guidance and solutions that help protect your business.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Ultima

Ultima

Ultima are on a mission to help businesses unlock their true potential by using the right IT to protect your company’s revenue and reputation – 24/7.

DART Consulting & Training

DART Consulting & Training

DART is a leading cyber training and consultancy company. We enhance our clients’ cyber capabilities by growing and strengthening their frontline defense – the cyber teams.

CyberGuardPro

CyberGuardPro

CyberGuardPro is a premier cybersecurity firm that prioritizes safeguarding businesses and individuals from the evolving landscape of digital threats.