loader gif

Ammyy Admin site compromised to serve up malware with World Cup as smokescreen

Ammyy Admin site compromised to serve up malware with World Cup as smokescreen

Free remote administration tool Ammy Admin's official website has been compromised by hackers to serve up malware-laced versions of the legitimate software. The attackers also attempted to hide the nefarious activities behind the ongoing FIFA World Cup 2018 in Russia.

ESET researchers said the issue was first spotted on ammyy.com shortly after midnight on June 13 and persisted until the morning of June 14 - the day the opening ceremony and opening match kicked off.

Users who happened to download software from the site during this time frame also likely received the multipurpose Trojan and banking malware Win32/Kasidet along with the legitimate remote admin software.

"Win32/Kasidet is a bot that is sold in underground crime markets and is actively used by various cybercriminal groups," ESET researchers said in a blog post.

The malware itself is capable of stealing files that could contain passwords or access data for cryptocurrency wallets and accounts. To do so, it scans the infected system for relevant filenames and processes before sending them to the attackers' C&C server. The URL of the C&C server is also World Cup-themed and contains the phrase "fifa2018".

"It seems as if it was designed by the attackers to use the ongoing FIFA World Cup as cover for their malicious network communication," researchers noted.

This isn't the first time Ammyy Admin has fallen victim to a hack.

In October 2015, the website began pushing malicious code linked to the hacker group Buhtrap. In addition to the than the Ammyy Admin, victims also received a Nullsoft Scriptable Installation Software (NSIS) used to install tools designed to spy on victims and control their infected systems. In that incident, the attackers exploited the site to deploy multiple malware families nearly every day.

However, in the latest incident, only Win32/Kasidet was detected.

"Another similarity between the incidents was the identical name of the file – Ammyy_Service.exe –containing the payload," researchers noted. "The downloaded installer AA_v3.exe may look legitimate at first sight, however the attackers have used SmartInstaller and built a new binary, which drops the Ammyy_Service.exe before installing Ammyy Admin software."

ESET said it has notified Ammyy Admin of the issue.

loader gif