Tuesday, 20 September 2016

Ammyy Admin Website Compromised

The website of the Ammyy Admin remote desktop management tool has been compromised to spread malware for the God-knows-what time in the past year.

Softpedia detected that something was wrong after we started receiving worrisome comments from readers on two articles detailing past infections of the Ammyy Admin website.

 Ammyy Admin website compromised for at least two days

The contaminated Ammyy Admin file MalwareHunterTeam managed to obtain had been uploaded on VirusTotal 20 times by 19 different people, between 2016-09-14 07:47:04 and 2016-09-15 06:50:39.
Some users have the habit of double-checking downloaded files by scanning them using VirusTotal. The period above is most likely the interval during which the website had been compromised, and some of its users had scanned the file.
A hybrid analysis of the file reveals a binary called "encrypted.exe" packed with the original AA_v3.exe, the legitimate installer. Every user running the installer would also run this file, which installs the Cerber ransomware.
Ammyy Admin website serving latest version of the Cerber ransomware
Cerber, which appeared at the start of the year, had several major branches, some of which were cracked and security researchers created a free decrypter to help victims recover their files.
The version distributed via the Ammyy Admin installer packs the latest v3 version that locks files via the .cerber3 extension. This version is uncrackable, at the time of writing.
Cerber 3 ransom note
Cerber 3 ransom note
MalwareHunterTeam also said that he didn't inform the website admin of the compromise and that it stopped on its own. Either the crooks realized they were exposed or they're just preparing another version of the Ammyy installer that would spread other types of malware.

Ammyy Admin website has spread at least six other types of malware

In the past, both ESET and Kaspersky have put out reports about how the site was used to spread all sorts of malware, such as the Ranbyus, Lurk and Buhtrap banking trojans, the CoreBot and Fareit infostealers, and the NetWire RAT.
ESET reported that the Ammyy Admin website spread malware in October and November 2015, while Kaspersky reported numerous similar incidents that took place between February to July 2016.
Softpedia has reached out to Ammyy Admin's team for additional comments. At the time of writing, even if Ammyy Admin downloads are clean, we can't vouch that they'll stay this way, taking into account the website's track record.