Ammyy Admin site compromised again
We warn users who downloaded the program Ammyy Admin for remote access from the official site on June 13-14. The site was compromised; in this time interval, a trojanized version of the program was heard from it. Another nuance: the attackers used the FIFA World Cup brand to disguise the malicious network activity.
In October 2015, the site offering the free version of Ammyy Admin was already used to distribute malware. We associate the last attack with the well-known cyber group Buhtrap . Now history repeats itself. We fixed the problem shortly after midnight on June 13, the Malvari distribution lasted until the morning of June 14.
Users who downloaded Ammyy Admin on June 13-14 received a bundle of legitimate software and a multipurpose Trojan, which is detected by ESET products as Win32 / Kasidet. We recommend potential victims to scan the device using an antivirus product.
Win32 / Kasidet is a bot that is sold on the darknet and is actively used by various cyber groups. The assembly found on ammyy.com on June 13 and 14, 2018, had two functions:
1. Theft of files that may contain passwords and other authorization data for cryptocurrency wallets and accounts of the victim. For this purpose, malware searches for the following file names and sends them to the C & C server:
- bitcoin
- pass.txt
- passwords.txt
- wallet.dat
2. Search for processes by given names:
- armoryqt
- bitcoin
- exodus
- electrum
- jaxx
- keepass
- kitty
- mstsc
- multibit
- putty
- radmin
- vsphere
- winscp
- xshell
URL of the C & C server (hxxp: // fifa2018start [.] Info / panel / tasks.php ) is also of interest. It seems that the attackers decided to use the World Cup brand to disguise malicious network activity.
We found similarities with the 2015 attack. Then the attackers used ammyy.com to distribute several families of malware, changing them almost every day. In 2018, only Win32 / Kasidet was distributed, but obfuscation of the payload changed in three cases, probably to avoid detection by antivirus products.
Another similarity between incidents is the identical name of the file containing the payload -
Since this is not the first time that ammyy.com has been compromised, we recommend installing a reliable antivirus solution before downloading Ammyy Admin. We reported the problem to Ammyy Admin developers.
Ammyy Admin is a legitimate tool, but attackers often use it. As a result, some anti-virus products, including ESET, detect it as a potentially unwanted application. However, this software is still widely used, in particular, in Russia.
Detection of ESET products
Hashes SHA-1
Installer Win32 / Kasidet C & C Server
In October 2015, the site offering the free version of Ammyy Admin was already used to distribute malware. We associate the last attack with the well-known cyber group Buhtrap . Now history repeats itself. We fixed the problem shortly after midnight on June 13, the Malvari distribution lasted until the morning of June 14.
Remote administration and Kasidet bot included
Users who downloaded Ammyy Admin on June 13-14 received a bundle of legitimate software and a multipurpose Trojan, which is detected by ESET products as Win32 / Kasidet. We recommend potential victims to scan the device using an antivirus product.
Win32 / Kasidet is a bot that is sold on the darknet and is actively used by various cyber groups. The assembly found on ammyy.com on June 13 and 14, 2018, had two functions:
1. Theft of files that may contain passwords and other authorization data for cryptocurrency wallets and accounts of the victim. For this purpose, malware searches for the following file names and sends them to the C & C server:
- bitcoin
- pass.txt
- passwords.txt
- wallet.dat
2. Search for processes by given names:
- armoryqt
- bitcoin
- exodus
- electrum
- jaxx
- keepass
- kitty
- mstsc
- multibit
- putty
- radmin
- vsphere
- winscp
- xshell
URL of the C & C server (hxxp: // fifa2018start [.] Info / panel / tasks.php ) is also of interest. It seems that the attackers decided to use the World Cup brand to disguise malicious network activity.
We found similarities with the 2015 attack. Then the attackers used ammyy.com to distribute several families of malware, changing them almost every day. In 2018, only Win32 / Kasidet was distributed, but obfuscation of the payload changed in three cases, probably to avoid detection by antivirus products.
Another similarity between incidents is the identical name of the file containing the payload -
Ammyy_Service.exe. The downloaded AA_v3.exe installer may look legitimate at first glance, but the attackers used SmartInstaller and created a new binary file that resets Ammyy_Service.exebefore installing Ammyy Admin.findings
Since this is not the first time that ammyy.com has been compromised, we recommend installing a reliable antivirus solution before downloading Ammyy Admin. We reported the problem to Ammyy Admin developers.
Ammyy Admin is a legitimate tool, but attackers often use it. As a result, some anti-virus products, including ESET, detect it as a potentially unwanted application. However, this software is still widely used, in particular, in Russia.
Indicators of compromise
Detection of ESET products
Win32/KasidetHashes SHA-1
Installer Win32 / Kasidet C & C Server
6D11EA2D7DC9304E8E28E418B1DACFF7809BDC27
6FB4212B81CD9917293523F9E0C716D2CA4693D4
675ACA2C0A3E1EEB08D5919F2C866059798E6E93EFE562F61BE0B5D497F3AA9CF27C03EA212A53C9
9F9B8A102DD84ABF1349A82E4021884842DC22DD
4B4498B5AFDAA4B9A2A2195B8B7E376BE10C903Efifa2018start[.]info