Ammyy Admin website compromised with ransomware

The security expert, MalwareHunterTeam, informed that the website stopped delivering the threat at around 6-8 PM yesterday evening. At that time it reverted back to delivering its clean installer and that’s why they weren’t able to find anything suspicious.

The popular website for remote desktop management tool Ammyy Admin has been compromised to distribute a malware for the seventh time in the past year.

The security expert, MalwareHunterTeam, informed that the website stopped delivering the threat at around 6-8 PM yesterday evening. At that time it reverted back to delivering its clean installer and that’s why they weren’t able to find anything suspicious.

However, MalwareHunterTeam managed to obtain the malicious Ammyy file, which has been uploaded on VirusTotal 20 times by 19 different users. All this happened in the course almost two days, from September 14th to 15th, meaning Ammyy Admin website compromised for at least two days.

A deeper analysis of the file showed that a binary called “encrypted.exe” is embedded to the original installer – AA_v3.exe. Each user which downloads and runs the installed get the malicious file as well, which deliver the notorious Cerber ransomware.

Cerber first appeared on the ransomware stage at the beginning of 2016. Since then, it had several different versions, some of which researchers were able to crack. However, the Ammyy Admin installer delivers Gerber’s newest version 3, which, at least for now, is uncrackable. The ransomware appends the “.cerber3” extension at the end of all encrypted files.

MalwareHunterTeam revealed that he didn’t notify Ammyy of the issue. The compromise terminated on its own and he assumed that either the attackers knew they were exposed or they are preparing to use the Ammyy installer to deliver other types of malware as well.

In the past year, Ammyy website was abused to deliver 6 other pieces of malware, such as the Ranbyus, Lurk and Buhtrap banking Trojans, the CoreBot and Fareit Infostealers, and the NetWire RAT. Both ESET and Kaspersky security firms reported such cases for October and November 2015 (ESET) and February to July 2016 (Kaspersky).

Currently, the Ammyy website is clean but no one knows for how long, keeping in mind their track record.