Legitimate Remote Access Software Used to Propagate Lurk Gang Trojan
Kaspersky Lab announced today that its security experts discovered the criminals behind the Lurk banking Trojan used legitimate software for infection purposes. Users that installed legitimate remote access software from the developer’s website, ammyy.com, unwittingly had malware leaked on their machines.
Woburn, MA –July 18, 2016 – Kaspersky Lab announced today that its security experts discovered the criminals behind the Lurk banking Trojan used legitimate software for infection purposes. Users that installed legitimate remote access software from the developer’s website, ammyy.com, unwittingly had malware leaked on their machines.
The Lurk gang was arrested in Russia in the beginning of June 2016, and they were using a namesake multilayer Trojan. With its help, they reportedly managed to steal $45 million dollars (3 billion rubles) from banks, other financial institutions and businesses in the country.
To propagate the malware they used different malicious techniques, including watering hole attacks, when a legitimate website is hacked and infected with exploits that would then infect the PC of the victim with malware. One watering hole attack performed by Lurk was particularly interesting because it didn’t involve exploits, but legitimate software instead.
While running a technical analysis of Lurk, Kaspersky Lab experts noticed an interesting pattern - many of the malware’s victims had the remote desktop tool, Ammyy Admin, installed on their computers. This tool is quite popular among business system administrators, as it makes it possible for them to work with their organization’s IT infrastructure remotely.
To determine what the connection was between the tool and the malware, Kaspersky Lab experts went to the official Ammyy Admin website and tried to download the software. They succeeded, but analysis of the software from the website showed that along with the clean legitimate remote access tool, the Lurk Trojan was also downloaded. The thinking behind this strategy was clear: the victim was unlikely to notice the malware installation because, due to the nature of remote access software, it is treated as malicious or dangerous by some antivirus (AV) solutions. Knowing that IT service specialists inside businesses do not always pay proper attention to warnings from security solutions, many would treat it as a false positive if detected by their AV solution.
According to Kaspersky Lab data, the Lurk Trojan has been propagated through ammyy.com since early February 2016. Company researchers believe that attackers used weaknesses in the Ammyy Admin website security system, in order to add the malware to the installation archive of the remote access software. Kaspersky Lab experts informed the website owners about the incident immediately after spotting it, and they apparently fixed the problem.
However, at the beginning of April 2016, another version of the Lurk Trojan was registered on Ammyy’s website. This time fraudsters had started to propagate a slightly modified Trojan, which was automatically checking if the victim’s computer was part of a corporate network. The malware was only installed if a corporate network was confirmed, making its attacks more targeted.
Kaspersky Lab experts reported this suspicious activity again and received the company’s response that the problem was solved; however, on June 1, 2016, the company detected Trojan Fareit, another new malware, which had been planted on the website. This time the malware was intended to steal the personal information of users. This was also reported to owners of the website. Currently the site doesn’t host this malware.
“Using legitimate software for criminal purposes is a highly effective malware propagation technique, said Vasily Berdnikov, malware analyst, Kaspersky Lab. “First of all because cybercriminals are able to play with users’ perceptions about the safety of the legitimate software they are downloading. By downloading and installing software from well-known developers, users do not think about the possibility that there may be malicious attachments involved. This makes it much easier for cybercriminals to get access to their targets and significantly increases their number of victims.”
In order to mitigate the risk of this type of attack, IT services should constantly check for vulnerabilities inside their organizations, and combine this with the implementation of reliable security solutions and increasing the cybersecurity awareness among employees.
Kaspersky Lab products detect the above-mentioned malware as Trojan-Spy.Win32.Lurk and Trojan-PSW.Win32.Fareit, and prevents their installation from the ammyy.com website. We urge organizations to check their networks against this malware.
More information and attack specifications can be found in the blogpost on Securelist.
A detailed description of the Trojan Lurk’s functionality can be found here.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.
Learn more at www.kaspersky.com.
Media Contact:
Jennifer Wood
+1-781-439-2494
jennifer.wood@kaspersky.com
Legitimate Remote Access Software Used to Propagate Lurk Gang Trojan
Kaspersky
Related Articles Press Releases
Kaspersky report shows just how common scams are becoming on popular online services
Consumer security survey captures user experiences and attitudes related to online scams and privacy trendsRead More >