Remote access software used by hackers to distribute malware

Security researchers have discovered that hackers are installing malware on victim's computers by using remote administration software.

According to a blog post by researchers at Kaspersky, a banking Trojan called Lurk also installed the remote administration software Ammyy Admin on their computers.

It said that further research showed that the official Ammyy Admin website had "most probably been compromised" and the Trojan had been downloaded to users' computers along with the legitimate Ammyy Admin software.

"It turned out that on the official site of Ammyy Admin (which is used for remote desktop access) there was an installer that did not have a digital signature and was an NSIS archive," said Kaspersky Lab researcher Vasily Berdnikov.

When this archive was launched, two files were created in a temporary folder and launched for execution: aa_v3.exe installer of the administration tool Ammyy Admin, signed with a digital signature; and ammyysvc.exe malicious spyware program Trojan-Spy.Win32.Lurk.

"In other words, the Ammyy Admin installer available for download on the manufacturer's official website is basically a dropper Trojan designed to stealthily install a malicious program in the system, while displaying a screen mimicking the installation of legitimate software," said Berdnikov.

He added that his team had found out that the dropper was being distributed on a regular basis (with short breaks) over several hours on weekdays.

Some browsers have since highlighted the Ammyy website as potentially dangerous and cautioned users about the presence of unwanted software. Berdnikov said his firm had informed Ammy Group of the new attack and the new malware being distributed from the website ammyy.com.

As yet, it is not known if the problem has been resolved.

Travis Smith, security researcher at Tripwire, said that human nature is to let your guard down when you feel safe.

"As users begin to interact with new sites, their trust begins to build over time when there are no negative consequences. Attackers can exploit this trust relationship using drive-by-downloads. By either compromising the website or leveraging malvertising, attackers can redirect users to a malicious website which will leverage a wide array of tools to infect the victim," he said.

"Since many exploits rely on known vulnerabilities, the easiest prevention mechanism is to install the operating system and all application patches as soon as possible," he added. "Only run applications and browser extensions which are absolutely necessary. Additional code running on the machine, such as applications or browser extensions, increase the attack surface for attackers."

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.