While researching the dangerous banking trojan, Lurk, Kaspersky Lab security experts have found that criminals behind this malware used legitimate software for infection purposes. While unsuspecting users were installing legitimate remote access software from a software developer’s official website (ammyy.com), they unwittingly had malware leaked on their machines.
The Lurk gang was arrested in Russia in the beginning of June 2016 and was using a namesake multilayer trojan. With its help, they reportedly managed to steal 45 million dollars from banks, other financial institutions and businesses in the country.
To propagate the malware they used different malicious techniques, including watering hole attacks, when a legitimate website is hacked and infected with exploits that would then infect the PC of the victim with malware. One of examples of a watering hole attack performed by Lurk, was particularly interesting because it didn’t involve exploits, but legitimate software instead.
While running a technical analysis of Lurk, Kaspersky Lab experts noticed an interesting pattern - many of the malware’s victims had remote desktop tool Ammyy Admin installed on their computers. This tool is quite popular among business system administrators, as it makes it possible for them to work with their organization’s IT infrastructure remotely. But what is the connection between the tool and the malware?
To get the answer to this question Kaspersky Lab experts went to the official Ammyy Admin website and tried to download the software. They succeeded, but analysis of the software from the website showed that along with the clean legitimate remote access tool, the Lurk trojan has also been downloaded. The thinking behind this strategy was clear: the victim was unlikely to notice the malware installation because, due to the nature of remote access software, it is treated as malicious or dangerous by some AV solutions. Knowing that IT service specialists inside businesses do not always pay proper attention to warnings from security solutions, many would treated it as a false positive if detected by their AV solution. Users were not realizing that malware had in fact been downloaded and installed on their machines.
According to Kaspersky Lab data, the Lurk trojan has been propagated through ammyy.com since early February 2016. Company researchers believe that attackers used weaknesses in the Ammyy Admin website security system, in order to add the malware to the installation archive of the remote access software. Kaspersky Lab experts informed the website owners about the incident immediately after spotting it, and they apparently fixed the problem.
However at the beginning of April 2016, yet another version of the Lurk trojan was registered on Ammyy’s website. This time fraudsters had started to propagate a slightly modified Trojan, which was automatically checking if the victim’s computer was part of a corporate network. The malware was only installed if a corporate network was confirmed, making its attacks more targeted.
Kaspersky Lab experts reported this suspicious activity again and received the company’s response that the problem was solved. However on June 1, 2016 we detected trojan Fareit, another new malware, which had been planted on the website. This time the malware was intended to steal the personal information of users. This was also reported to owners of the website.
Currently the site doesn’t host this malware.
‘Using legitimate software for criminal purposes is a highly effective malware propagation technique. First of all because cybercriminals are able to play with users’ perceptions about the safety of the legitimate software they are downloading. By downloading and installing software from well-known developers, users do not think about the possibility that there may be malicious attachments involved. This makes it much easier for cybercriminals to get access to their targets and significantly increases their number of victims’ – warns Vasily Berdnikov, Malware Analyst, Kaspersky Lab.
In order to mitigate the risk of this type of attack, IT services should constantly check for vulnerabilities inside their organizations, and couple this with the implementation of reliable security solutions and a growing awareness about cybersecurity among employees.
Kaspersky Lab products detect the above-mentioned malware as Trojan-Spy.Win32.Lurk and Trojan-PSW.Win32.Fareit, and prevents their installation from the ammyy.com website. We urge organizations to check their networks against this malware.
More information and attack specifications can be found in the blogpost on Securelist.
A detailed description of the trojan Lurk’s functionality can be found here.
 data from the Ministry of Internal Affairs in Russia