Ammyy download bundled Lurk

In 2016, Kaspersky connected Lurk infections to recent Ammyy Admin downloads. The common point was not spam or exploit kits. It was the official Ammyy website, where users obtained a remote administration tool and received spyware with it.

The poisoned download was an unsigned NSIS archive. When executed, it wrote and launched two files: a digitally signed legitimate Ammyy Admin installer, aa_v3.exe, and a malicious ammyysvc.exe detected as Trojan-Spy.Win32.Lurk. The screen still looked like a normal installer.

The server-side delivery script had been modified. Kaspersky said it warned Ammyy after the first discovery and again during three February recurrences; the malicious code was removed, then returned. In early April, a modified dropper checked whether the victim belonged to a corporate network before launching Lurk.

On June 1, the payload changed from Lurk to Trojan-PSW.Win32.Fareit, the same day Russian authorities announced arrests tied to Lurk. Kaspersky read that as evidence of a market: whoever controlled the Ammyy download path could sell placement in the dropper.

Motive

Financial Gain Data Theft

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Unknown cybercriminal actors

• Lurk: a danger where you least expect itsecurelist.com
• Trojanized Remote-Access Tool Spreads Malwarecert.gov.az
• Alert! Ransomware is Being Spread through the Ammyy Admin Websitequickheal.com