Legitimate remote admin tool compromised to spread trojan

According to this article at Ars, the remote admin tool Ammyy Admin was compromised and has been being used by a criminal gang to install a banking trojan to drain the bank accounts of it’s victims.  The article does an excellent job of detailing it but the short story seems to be the following:

  • A criminal gang compromised the installer for Ammyy Admin so that, in addition to installing the legitimate remote administration tool (which would require elevated privilege), it also installed the malware.
  • Ammyy Admin website was breached (per Kaspersky, multiple times) and scripts on the website were modified to increase the success of the attack.
  • Users who downloaded the Ammyy Admin tool from the legitimate Ammyy Admin and installed it, also (unknowingly) installed a banking trojan

Since the attackers updated PHP scripts on the Ammyy Admin website they could have likely modified anything else on the site as well, but it’s never a bad idea to confirm the MD5 and / or SHA1 sums of a download if the site provides it / them.  Again, this likely wouldn’t have helped here (unless the attackers forgot to or were too lazy to update the hashes, assuming that the victim wouldn’t check) but this is a good opportunity to mention checking hashes to help verify that the files that you’re downloading are the files that you planned on downloading.


Leave a Reply