During an investigation into the dangerous banking Trojan, Lurk, Kaspersky Lab experts discovered that the criminals behind this malware were using legitimate software to spread the "infection". As unsuspecting users installed legitimate remote software access from the official website of a software provider (ammy.com), Unwittingly downloaded malicious software into their devices.
The Lurk gang was arrested in Russia in early June of 2016 and was using it the Trojan multi-level homonym. With his help, he seems to have managed to steal 45 million dollars (3 billion rubles[1]) from banks, other financial institutions and businesses in the country.
In order to spread malware, criminals used various malicious techniques, including watering hole attacks, which involve breaking an official website and "contaminating" it with exploits, which in turn "infect" the computer of the victim with malware. One of the examples of "watering hole" executed by Lurk was of particular interest as it was not based on exploits but on legitimate software.
During a technical analysis of Lurk, Kaspersky Lab's experts noticed an interesting pattern. Many of the malware victims had their Ammyy Admin remote desktop tool installed on their computers. This tool is quite popular among business system managers, as it enables remote work with the IT infrastructure of the organization. But what is the relationship between the tool and the malware?
To get an answer to this question, Kaspersky Lab experts visited Ammyy Admin's official website and tried to "download" the software. They succeeded, but analysis of the software by the website showed that along with the "clean" official remote access tool, Trojan Lurk had also been "downloaded". The rationale behind this strategy was clear: The victim was unlikely to notice the installation of the malware because, due to the nature of remote access software, it is treated as malicious or dangerous by some solutions antivirus. Knowing that many executives who deal with IT services do not always give the right one caution στις προειδοποιήσεις από τις λύσεις better safetyς, πολλοί θα αντιμετώπιζαν την ειδοποίηση της λύσης antivirus ως ψευδώς θετική. Έτσι, οι χρήστες δεν συνειδητοποιούσαν ότι το κακόβουλο λογισμικό είχε στην πραγματικότητα «κατέβει» και εγκατασταθεί στις συσκευές τους.
According to Kaspersky Lab data, Trojan Lurk has spread through it ammy.com from the beginning of February 2016. The company's researchers believe the attackers used weaknesses in the Ammyy Admin site's security system to add malicious software to the remote access software installation file. Kaspersky Lab specialists informed the site owners about the incident immediately after being identified, who obviously solved the problem.
However, in early April of 2016, another version of Trojan Lurk was posted on the Ammyy website. This time, scammers had begun to spread a slightly modified Trojan, which was able to automatically check if the victim's computer was part of a corporate network. Malware was installed only if it confirmed the existence of a corporate network, making its attacks more targeted.
Kaspersky Lab experts reported this suspicious activity again and received the company's response that the problem was resolved. However, 1η June of 2016, detected Trojan Fareit, a new malware that was "planted" on the site. This time, malware was going to steal personal information from users. And this incident was reported to the owners of the site.
Currently, the site does not "host" this malicious software.
“Using legitimate software for criminal purposes is a highly effective malware propagation technique. First of all, because digital criminals are able to play with users' perceptions of the safety of legitimate software they "download". By downloading and installing software from well-known manufacturers, users don't think about the possibility that there might be malicious attachments involved. This makes it much easier for digital criminals to gain access to their targets and significantly increase their number of victims." warns Vasily Berdnikov, Malware Analyst of Kaspersky Lab.
To mitigate the risk of such attacks, IT service providers should constantly check for vulnerabilities within their organizations. At the same time, they should also proceed with the implementation of reliable security solutions and enhance employee knowledge in relation to digital security issues.
Τα προϊόντα της Kaspersky Lab ανιχνεύουν τα παραπάνω κακόβουλα programs, τα οποία είναι καταχωρημένο με τις κωδικές ονομασίες «Trojan-Spy.Win32.Lurk» και «Trojan-PSW.Win32.Fareit», αποτρέποντας την εγκατάσταση τους από τον ιστότοπο «ammy.com". The company urges businesses to check their networks for any malicious programs.
More information and details of attack specifications are available on the site Securelist.com.
