Legitimate software was used to propagate Trojan Lurk

During an investigation into the dangerous banking Trojan, Lurk, Kaspersky Lab specialists discovered that the criminals behind this malicious software used legitimate software to spread the "infection." As unsuspecting users installed legitimate remote access software from a software provider's official website (ammy.com), Unwittingly downloaded malicious software into their devices.Lurk Trojan

The Lurk gang was arrested in Russia in early June of 2016 and was using it the Trojan multi-level homonym. With his help, he seems to have managed to steal 45 million dollars (3 billion rubles[1]) from banks, other financial institutions and businesses in the country.

In order to spread malware, criminals used various malicious techniques, including watering hole attacks, which involve breaking an official website and "contaminating" it with exploits, which in turn "infect" the computer of the victim with malware. One of the examples of "watering hole" executed by Lurk was of particular interest as it was not based on exploits but on legitimate software.

During a technical analysis of Lurk, Kaspersky Lab's experts noticed an interesting pattern. Many of the malware victims had their Ammyy Admin remote desktop tool installed on their computers. This tool is quite popular among business system managers, as it enables remote work with the IT infrastructure of the organization. But what is the relationship between the tool and the malware?

To answer this question, Kaspersky Lab specialists visited Ammyy Admin's official website and tried to "download" the software. They did, but the analysis of the software from the site showed that along with the "pure" official remote access tool, Trojan Lurk had also "come down". The rationale behind this strategy was clear: The victim was unlikely to notice the installation of the malicious software because, due to the nature of the remote access software, it is treated as malicious or dangerous by some antivirus solutions. Knowing that many executives involved in IT services are not always paying close attention to security alerts, many would face the antivirus solution as being falsely positive. So, users did not realize that malware had actually "come down" and installed on their devices.

  Two new attacks come from Skype

According to Kaspersky Lab data, Trojan Lurk has spread through it ammy.com from the beginning of February 2016. The company's researchers believe the attackers used weaknesses in the Ammyy Admin site's security system to add malicious software to the remote access software installation file. Kaspersky Lab specialists informed the site owners about the incident immediately after being identified, who obviously solved the problem.

However, in early April of 2016, another version of Trojan Lurk was posted on the Ammyy website. This time, scammers had begun to spread a slightly modified Trojan, which was able to automatically check if the victim's computer was part of a corporate network. Malware was installed only if it confirmed the existence of a corporate network, making its attacks more targeted.

Kaspersky Lab experts reported this suspicious activity again and received the company's response that the problem was resolved. However, 1η June of 2016, detected Trojan Fareit, a new malware that was "planted" on the site. This time, malware was going to steal personal information from users. And this incident was reported to the owners of the site.

  Skydivers in stretched rope in the air. Unbelievable video

Currently, the site does not "host" this malicious software.

"The use of legitimate software for criminal purposes is an extremely effective malware propagation technique. First of all, why digital criminals are able to play with the perceptions of users about the security of legitimate software that they "download". By downloading and installing software from known manufacturers, users do not think that there may be malicious attachments involved. This makes it much easier for digital criminals to access their targets and significantly increase the number of their victims, warns Vasily Berdnikov, Malware Analyst of Kaspersky Lab.

To mitigate the risk of such attacks, IT service providers should constantly check for vulnerabilities within their organizations. At the same time, they should also proceed with the implementation of reliable security solutions and enhance employee knowledge in relation to digital security issues.

Kaspersky Lab's products detect the above malicious programs, which are listed under the code names "Trojan-Spy.Win32.Lurk" and "Trojan-PSW.Win32.Fareit", preventing their installation from the site "ammy.com". The company urges businesses to check their networks for any malicious programs.

More information and details of attack specifications are available on the site Securelist.com.

[do_widget id = blog_subscription-3]

Follow us on Google News iGuRu.gr at Google news

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published.

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).


7 + 3 =