Ammyy Admin site compromised again

    We warn users who downloaded the program Ammyy Admin for remote access from the official site on June 13-14. The site was compromised; in this time interval, a trojanized version of the program was heard from it. Another nuance: the attackers used the FIFA World Cup brand to disguise the malicious network activity.

    In October 2015, the site offering the free version of Ammyy Admin was already used to distribute malware. We associate the last attack with the well-known cyber group Buhtrap . Now history repeats itself. We fixed the problem shortly after midnight on June 13, the Malvari distribution lasted until the morning of June 14.

    Remote administration and Kasidet bot included

    Users who downloaded Ammyy Admin on June 13-14 received a bundle of legitimate software and a multipurpose Trojan, which is detected by ESET products as Win32 / Kasidet. We recommend potential victims to scan the device using an antivirus product.

    Win32 / Kasidet is a bot that is sold on the darknet and is actively used by various cyber groups. The assembly found on on June 13 and 14, 2018, had two functions:

    1. Theft of files that may contain passwords and other authorization data for cryptocurrency wallets and accounts of the victim. For this purpose, malware searches for the following file names and sends them to the C & C server:
    - bitcoin
    - pass.txt
    - passwords.txt
    - wallet.dat

    2. Search for processes by given names:
    - armoryqt
    - bitcoin
    - exodus
    - electrum
    - jaxx
    - keepass
    - kitty
    - mstsc
    - multibit
    - putty
    - radmin
    - vsphere
    - winscp
    - xshell

    URL of the C & C server (hxxp: // fifa2018start [.] Info / panel / tasks.php ) is also of interest. It seems that the attackers decided to use the World Cup brand to disguise malicious network activity.

    We found similarities with the 2015 attack. Then the attackers used to distribute several families of malware, changing them almost every day. In 2018, only Win32 / Kasidet was distributed, but obfuscation of the payload changed in three cases, probably to avoid detection by antivirus products.

    Another similarity between incidents is the identical name of the file containing the payload - Ammyy_Service.exe. The downloaded AA_v3.exe installer may look legitimate at first glance, but the attackers used SmartInstaller and created a new binary file that resets Ammyy_Service.exebefore installing Ammyy Admin.


    Since this is not the first time that has been compromised, we recommend installing a reliable antivirus solution before downloading Ammyy Admin. We reported the problem to Ammyy Admin developers.

    Ammyy Admin is a legitimate tool, but attackers often use it. As a result, some anti-virus products, including ESET, detect it as a potentially unwanted application. However, this software is still widely used, in particular, in Russia.

    Indicators of compromise

    Detection of ESET products

    Hashes SHA-1

    Installer Win32 / Kasidet C & C Server




    Also popular now: