The malware is being distributed via a strategic web compromise. Since late October, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also various malware packages.
Jean-Ian Boutin, a malware researcher at ESET, commented: "The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so-called Advanced Persistent Threats."
The cybercrooks served up a Lurk downloader before dishing out Corebot and switching to Buhtrap by the end of October. The Ranbyus and Netwire RAT malware strains were served one after the other at the start of November.
“Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case,” ESET explains. “Thus it is quite possible that the cybercriminals responsible for the website hack sold the access to different groups.”
Ammyy Admin is legitimate software package (used by top corporations and Russian banks, among others) even though it has a history of being abused by fraudsters. Several security software firms classify Ammyy as a potentially unwanted app. ®