Ammyy download carried Kasidet
Ammyy's official site again served a trojanized Ammyy Admin download. The SmartInstaller wrapper dropped Kasidet, using a World Cup-themed command server as cover.
Story
The Ammyy pattern returned in June 2018. ESET observed the official site serving a poisoned Ammyy Admin download from shortly after midnight on June 13 until the morning of June 14. The legitimate remote-access tool remained present; the wrapper added the malware.
The installer was named AA_v3.exe, as before. Attackers used SmartInstaller to build a new binary that dropped Ammyy_Service.exe before installing Ammyy Admin. That file carried Win32/Kasidet, a multipurpose bot and banking malware sold in criminal markets.
Kasidet searched for files likely to contain passwords or cryptocurrency wallet material, including wallet.dat, pass.txt, and passwords.txt. It also reported running processes tied to wallets, password managers, remote desktop tools, and administration tools, including Electrum, Exodus, KeePass, PuTTY, WinSCP, Xshell, Radmin, and vSphere.
The command server was fifa2018start.info, a name chosen to blend into World Cup noise. The attack was short, but the lesson was familiar: a vendor download for a remote-administration tool gives criminals both reach and plausible cover.
Affected Artifacts
- Observed
- 2018-06-13 to 2018-06-14
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:6d11ea2d7dc9304e8e28e418b1dacff7809bdc27
- sha1:6fb4212b81cd9917293523f9e0c716d2ca4693d4
- sha1:675aca2c0a3e1eeb08d5919f2c866059798e6e93
- Evidence
- distribution: ammyy.com/AA_v3.exe, file: AA_v3.exe, file: Ammyy_Service.exe, malware: Kasidet , +24 more
Incident Context
- Motive
- Financial Gain Data Theft
- Attribution
- Group
- Cause
- Website Compromise
- Transitive
- No
- Actor
- Unknown cybercriminal actors
External References
Source record: proprietary/ammyy-admin/meta.yaml