Beware of blind cyber passenger
During an analysis of the dangerous "Lurk" banking Trojan, Kaspersky Lab discovered a perfidious method that cybercriminals can use to install malicious software on targeted corporate computers. When downloading the legitimate remote maintenance software "Ammyy Admin", which is popular among system administrators, the Lurk malware was secretly included and installed.
The Lurk gang was arrested in Russia in June 2016. The experts from Kaspersky Lab have now discovered that the Lurk Trojan was included in the download of the Ammyy Admin remote access tool, which is popular with IT administrators. The intention behind this: Although some IT security solutions classify remote-enabled tools as dangerous, users or system administrators tend to ignore the corresponding warning message because they assume it is a false positive. The dangerous thing is that in the case of Lurk, malware is loaded and installed on a system unnoticed - despite the warning message.
"Using legitimate software is a very effective technique to spread malware," said Vasily Berdnikov, malware analyst at Kaspersky Lab. "By doing so, cybercriminals give the user the impression that this is legitimate and therefore safe software. People who download and install software from a known vendor don't think about the fact that a blind cyber passerby might be there. Cybercriminals use this method to facilitate access to their targets and increase the number of victims."
Targeted dissemination
Kaspersky Lab believes that the Lurk Trojan has been spread via the ammyy.com website since February 2016. The attackers probably exploited vulnerabilities in the security system of the Ammyy admin website and smuggled the malware into the installation archive of the remote access program. The website owners were notified by Kaspersky Lab immediately after the discovery; the vulnerability was subsequently fixed immediately.
In April 2016, another version of the Lurk Trojan was discovered on the Ammyy website. This slightly modified version of the malware was able to automatically check whether a computer belonged to a corporate network. The malware was only delivered if it was actually a corporate computer, which means it was very targeted.
To prevent such cyber risks, IT service providers should regularly check their organization for possible vulnerabilities, always in conjunction with the deployment of an IT security solution.
Text: Kaspersky Lab/essential media GmbH
