Users who downloaded the free remote administration tool Ammyy Admin from its official website ammyy.com on June 13 or 14, beware!

According to ESET’s analysis, within that timeframe the website was compromised to serve a malware-tainted version of this otherwise legitimate software. To add an interesting twist to the incident, the attackers tried to hide their malicious activity behind the brand of the ongoing FIFA World Cup.

It feels almost like traveling back in time. In October 2015, the website offering a free version of Ammyy Admin software started serving malicious code connected to the cybercrime group Buhtrap. Now history repeats itself and the site seems to be compromised again. The issue was first spotted by ESET researchers shortly after midnight on June 13 and persisted until the morning of June 14.

Remote admin with Kasidet bot on the side

Users who downloaded software from ammyy.com in the aforementioned timeframe received more than just the requested software – part of the bundle was also a multipurpose Trojan and banking malware detected by ESET as Win32/Kasidet. ESET advises all potential victims to take precautionary measures and use a reliable security product to scan and clean their devices.

Win32/Kasidet is a bot that is sold in underground crime markets and is actively used by various cybercriminal groups. The build detected on the ammyy.com site on June 13 and 14, 2018 had two main goals:

  1. Stealing files that could contain passwords or access data for cryptocurrency wallets and accounts of the victims. It achieves this by searching for filenames that match the following masks and by sending them to the C&C server:
  • bitcoin
  • pass.txt
  • passwords.txt
  • wallet.dat

2. Reporting processes whose names include any of the following strings:

  • armoryqt
  • bitcoin
  • exodus
  • electrum
  • jaxx
  • keepass
  • kitty
  • mstsc
  • multibit
  • putty
  • radmin
  • vsphere
  • winscp
  • xshell

The URL of the command and control server, hxxp://fifa2018start[.]info/panel/tasks.php, was also interesting – it seems as if it was designed by the attackers to use the ongoing FIFA World Cup as cover for their malicious network communication.

ESET researchers spotted multiple similarities to the 2015 attack. Back then, attackers were misusing ammyy.com to serve numerous malware families, changing them on an almost daily basis. In the 2018 case, ESET systems detected only Win32/Kasidet, however, the obfuscation of the payload changed on three occasions, probably to avoid detection by security products.

Another similarity between the incidents was the identical name of the file – Ammyy_Service.exe –containing the payload. The downloaded installer AA_v3.exe may look legitimate at first sight, however the attackers have used SmartInstaller and built a new binary, which drops the Ammyy_Service.exe before installing Ammyy Admin software.

Conclusion

As the site has been similarly compromised in the past, ESET recommends that users run a reliable up-to-date — and updated — multi-layered antimalware solution whenever they try to download software from this website.

While Ammyy Admin is a legitimate tool, it has a long history of being misused by fraudsters. As a result, several security products, including ESET’s, detect it as a Potentially Unsafe Application. However, it is still widely used, mostly in Russia.

We notified Ammyy about the issue. As Ammyy Admin is widely used, we feel it is important to warn its users about its current security issues.

Special thanks to Jakub Souček, who pointed us to the compromise and provided the analysis.

IoCs

ESET detection names
Win32/Kasidet
SHA-1 hashes
Installer
6D11EA2D7DC9304E8E28E418B1DACFF7809BDC27
6FB4212B81CD9917293523F9E0C716D2CA4693D4
675ACA2C0A3E1EEB08D5919F2C866059798E6E93
Win32/Kasidet
EFE562F61BE0B5D497F3AA9CF27C03EA212A53C9
9F9B8A102DD84ABF1349A82E4021884842DC22DD
4B4498B5AFDAA4B9A2A2195B8B7E376BE10C903E
C&C Servers
fifa2018start[.]info