The security researchers at ESET discovered that visitors to the Ammyy website, somewhere in late October were being served up malware along with the popular and portable Ammyy Admin Remote Desktop Software that allowed the Buhtrap gang to gain control of victims’ computers.
Buhtrap malware distributed via ammyy.com
The tools deployed on the victim’s computer allowed the gang to control the devices remotely and record the user’s actions. How the malware made its way to the computers? The malware was designed to be distributed via a strategic web compromise. When visitors navigated to ammyy.com, they were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also malware.
It is worth mentioning while Ammyy Admin is legitimate software, it has the potential of being misused by fraudsters. Several security firms like ESET thus, label it as a Potentially Unsafe Application.
Jean-Ian Boutin, Malware Researcher at ESET wrote in a blog post,
“The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so called Advanced Persistent Threats.” Although these families are not linked together, the droppers that might have been downloaded from Ammyy’s website were the same in every case. The executable would install the real Ammyy product, but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload”, he further added.
The report suggests between Oct. 26 to Nov. 2, numerous types of malware—Corebot, Buhtrap, Ranbyus and Netwire RAT—were being distributed to thousands of unsuspecting website visitors.