Trojanized Remote-Access Tool Spreads MalwareKaspersky: Bundled Downloads Fool Admins, Foil Detection
See Also: Splunk Predictions 2020
Kaspersky and others say the growing threat points to the need for organizations to curtail any administrative privileges granted to employees who also have the ability to download remote-access tools or software.
"There is no problem with detecting the malware," Vasily Berdnikov, a security expert at Kaspersky, tells Information Security Media Group. "The problem is that, in this case, the malware came packed with legitimate software. The thinking behind this strategy is simple: Criminals expect that the system administrator will simply ignore the warning from the security solution, because he will be sure that he is downloading legitimate software from the legitimate source."
Attackers have long favored gaining access to remote-access tools present inside victim organizations, because they provide an easy way to remotely launch further attacks or exfiltrate data (see TeamViewer Bolsters Security After Account Takeovers). But Berdnikov says this is the first time Kaspersky's researchers have seen a criminal group hide malware inside a legitimate remote-access tool.
"We've never seen financially motivated criminals using this method," he says. "Although there were attacks when legitimate software was Trojanized on its way to the user, these attacks were publicly attributed to a nation-state actor."
But adding malware to software bundles "has always been especially prevalent in freeware/shareware," says Steven Grossman, a vice president at security firm Bay Dynamics.
Even Apple hasn't been immune to such attacks. In 2015, for example, attackers distributed a Trojanized version of Apple's free Xcode Development Software to implant " XcodeGhost" into iOS apps (see Apple Battles App Store Malware Outbreak).
Defending against such attacks requires several security strategies. "In addition to highlighting the need for endpoint protection, it especially highlights the need to lock down administrative access to users' machines, so that they cannot download and install unapproved software," Grossman says. "That one simple step prevents a whole host of security problems, including the installation of many, though not all, malicious software applications. It also points to monitoring user activities and identifying when their behavior changes, which is often an indicator of a compromised account."
Lurk Connection Detected
The discovery of the Trojanized Ammyy Admin software dates from earlier this year, when Kaspersky says its researchers noticed an odd coincidence when reviewing systems infected with the Lurk banking Trojan - a malware strain commonly used to compromise Russian bank accounts. Namely, all of the PCs infected with Lurk also had recently downloaded the Ammyy Admin remote-access tool, Kaspersky Lab researchers say in a July 18 blog post.
The researchers surmised that when system administrators or users with admin rights downloaded the Ammyy Admin tool, their devices were also automatically being infected by Lurk.
"From the data we had, it emerged that the users attacked by Lurk also installed the remote administration software Ammyy Admin on their computers," according to the Kaspersky Lab blog. "At first, we didn't really give this much thought, but further research showed that the official Ammyy Admin website had most probably been compromised, and the Trojan had been downloaded to users' computers along with the legitimate Ammyy Admin software."
Kaspersky says that from February to June, it repeatedly warned Ammyy that its site had been breached. Although Ammyy promptly removed the malicious code after each notification, the malware always quickly returned, Kaspersky says.
Ammyy did not immediately respond to ISMG's request for comment.
Russians Bust Lurk Suspects
Related attacks appear to have been evolving. In June, Russian authorities apprehended the cybercriminals believed to be behind the Lurk Trojan (see Russian Police Bust Alleged Bank Malware Gang).
But Kaspersky suggests that a new group may now be using the Ammyy site to distribute a similar type of malware - one that is designed to steal personal information and compromise bank accounts - in the same way as Lurk.
"Interestingly, on June 1 [after the Lurk takedown], the content of the dropper changed," Kaspersky researchers say in their blog post. "On that very day, it was reported that the creators of Lurk had been arrested, and the website began distributing a new malicious program, Trojan-PSW.Win32.Fareit, in place of Lurk; this new Trojan was also designed to steal personal information. This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com."
The Kaspersky researchers say that malware that gets bundled with remote-access tools should be cause for increasing concern, since any remote-access tool could potentially be Trojanized by attackers.
"We should note that attacks of this type [watering hole] are very effective, and doubly dangerous if they target the users of a remote administration software tool: Administrators using such a tool might presume that a malware [or malicious activity] detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself," the Kaspersky researchers say. "Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer."
Defending Against Trojanized Tools
To mitigate the risks posed by malware that gets bundled with legitimate software, security experts recommend organizations put in place several defenses:
- React: Never ignore an infection-related security warning, even if it gets triggered by what should be a legitimate tool, and "especially when it comes to downloading remote-access tools for work purposes," Berdnikov says. "These are very popular tools among cybercriminals nowadays," he adds, meaning they're always looking for innovative ways to hack into them.
- Educate: Educate staff about the potential malware risks related to downloading legitimate tools, backed up by automated security tools "in combination with threat intelligence services," Berdnikov says. "The latter can easily let you know if companies like yours are currently under attack by a certain type of threat [actor]."
- Restrict: Block employees' ability to download or install unapproved software, Grossman at Bay Dynamics says.
- Verify: Whenever possible, check the digital signature of any application that's been downloaded, to ensure that it hasn't been tampered with Berdnikov says.
Of course it also helps to avoid downloading software from sites that have repeatedly been compromised, Berdnikov adds. But as the use of the legitimate Ammyy Admin tool demonstrates, any application can potentially get subverted by attackers to help them spread malware.