According to this article at Ars, the remote admin tool Ammyy Admin was compromised and has been being used by a criminal gang to install a banking trojan to drain the bank accounts of it’s victims. The article does an excellent job of detailing it but the short story seems to be the following:
- A criminal gang compromised the installer for Ammyy Admin so that, in addition to installing the legitimate remote administration tool (which would require elevated privilege), it also installed the malware.
- Ammyy Admin website was breached (per Kaspersky, multiple times) and scripts on the website were modified to increase the success of the attack.
- Users who downloaded the Ammyy Admin tool from the legitimate Ammyy Admin and installed it, also (unknowingly) installed a banking trojan
Since the attackers updated PHP scripts on the Ammyy Admin website they could have likely modified anything else on the site as well, but it’s never a bad idea to confirm the MD5 and / or SHA1 sums of a download if the site provides it / them. Again, this likely wouldn’t have helped here (unless the attackers forgot to or were too lazy to update the hashes, assuming that the victim wouldn’t check) but this is a good opportunity to mention checking hashes to help verify that the files that you’re downloading are the files that you planned on downloading.