In late October and early November this year, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also malware.
ESET researchers noticed in late October that, for about a week, visitors to ammyy.com were downloading an installer that contained malware along with the Ammyy product. While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters and several security products, such as ESET's, detect it as a Potentially Unsafe Application.
Similarly, Download.com, a major download site, doesn’t provide a direct-download link to Ammyy software to users, instead listing the Ammyy Admin page for information purposes only. However, Ammyy Admin is still widely used: Ammyy’s website lists clients that include TOP500 Fortune companies as well as Russian banks.
According to the ESET investigation, five different malware families were distributed through Ammyy’s website during the recent incident. The first malware, the Lurk downloader, was distributed on October 26. Next wasCorebot on October 29, then Buhtrap on October 30, and finally Ranbyus and Netwire RAT on November 2. Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case. Thus it is quite possible that the cybercriminals responsible for the website hack sold the access to different groups.
Of the malware distributed via Ammyy’s website, of particular interest is the install package used in Operation Buhtrap.