Ammyy site served banking malware

Ammyy Admin was a legitimate remote desktop tool, widely used and widely abused. In late October and early November 2015, its official website became a malware distribution point. Visitors who expected the remote-access tool received a bundle with the real product and a criminal payload.

ESET reported five malware families in one short window. Lurk appeared on October 26, Corebot on October 29, Buhtrap on October 30, and Ranbyus and Netwire RAT on November 2. The droppers were the same across payload changes, suggesting the website compromise was a service: access to the download path could be rented or handed to different groups.

The method was simple and effective. Attackers changed the server-side delivery path so the official download carried more than the product. Administrators and support users were natural victims because they expected remote-access software to look unusual to security tools.

The impact was theft and access. Lurk and Buhtrap targeted banking. Corebot and Ranbyus carried credential and financial-theft capability. Netwire provided remote control. The trusted vendor site did the hard work of delivery.

Motive

Financial Gain Data Theft

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Unknown cybercriminal actors

• ESET Uncovers Compromise of Ammyy's Remote Desktop Software Websiteeset.com
• Compromise of Ammyy Remote Desktop Software Websiteinformationsecuritybuzz.com