21 July 2016

Ammyy Admin is an analog of TeamViewer solution, which allows remote administration of clients’ PCs. It is used mostly in Russia by corporate and home users.

Researchers from Kaspersky Lab discovered new distribution technique of banking trojan Lurk. According to report, hackers were able to compromise website of Russian Ammyy Admin remote administration tool and deliver malware along with legit application to victims’ computers.

Ammyy Admin is delivered as NSIS archive, which contains two binaries inside:

aa_v3.exe – legit digitally signed installer of Ammyy Admin

ammyysvc.exe – trojan, detected by Kaspersky Lab as Trojan-Spy.Win32.Lurk.

This is the second time when Ammyy Admin website gets hacked and distributes malware. The previous incident occurred in November, 2015. Hackers were able to compromise the website and slightly change PHP code, responsible for Ammyy Admin delivery. As a result, the victim downloaded legit application along with malware dropper.

At the moment of this writing, the downloaded binary AA_v3.exe is digitally signed and does not seem to contain malicious code.