The website of the Ammyy Admin remote
desktop management tool has been compromised to spread malware for the
God-knows-what time in the past year.
Softpedia detected that something was wrong after we started receiving worrisome comments from readers on two articles detailing past infections of the Ammyy Admin website.
Softpedia detected that something was wrong after we started receiving worrisome comments from readers on two articles detailing past infections of the Ammyy Admin website.
Ammyy Admin website compromised for at least two days
The contaminated Ammyy Admin file MalwareHunterTeam managed to obtain had been uploaded on VirusTotal 20 times by 19 different people, between 2016-09-14 07:47:04 and 2016-09-15 06:50:39.
Some users have the habit of double-checking
downloaded files by scanning them using VirusTotal. The period above is
most likely the interval during which the website had been compromised,
and some of its users had scanned the file.
A hybrid analysis
of the file reveals a binary called "encrypted.exe" packed with the
original AA_v3.exe, the legitimate installer. Every user running the
installer would also run this file, which installs the Cerber
ransomware.
Ammyy Admin website serving latest version of the Cerber ransomware
Cerber, which appeared at the start of the year, had
several major branches, some of which were cracked and security
researchers created a free decrypter to help victims recover their
files.
The version distributed via the Ammyy Admin
installer packs the latest v3 version that locks files via the .cerber3
extension. This version is uncrackable, at the time of writing.
MalwareHunterTeam also said that he
didn't inform the website admin of the compromise and that it stopped on
its own. Either the crooks realized they were exposed or they're just
preparing another version of the Ammyy installer that would spread other
types of malware.
Ammyy Admin website has spread at least six other types of malware
In the past, both ESET and Kaspersky have put out
reports about how the site was used to spread all sorts of malware, such
as the Ranbyus, Lurk and Buhtrap banking trojans, the CoreBot and
Fareit infostealers, and the NetWire RAT.
ESET reported that the Ammyy Admin website spread
malware in October and November 2015, while Kaspersky reported numerous
similar incidents that took place between February to July 2016.
Softpedia has reached out to Ammyy Admin's team for
additional comments. At the time of writing, even if Ammyy Admin
downloads are clean, we can't vouch that they'll stay this way, taking
into account the website's track record.