14 DAY TRIAL // For an entire week, the website of the Ammyy Admin remote desktop software was used to infect users with five different malware versions, some of which, ironically, gave attackers full control over the victim's PC.
As ESET researchers are claiming, when downloading the Ammy Admin remote desktop administrator, users would get the legitimate software and a malware dropper.
This dropper was then used to download the malware payload, which during the week of October 26 to November 2, varied significantly.
It initially started infecting users with the Lurk downloader, another malware downloader used to infect victims with banking trojans, then moved on to CoreBot, a basic information stealer, and then Buhtrap, a very dangerous and effective banking trojan.
The following days, two more malware types were detected, the Ranbyus banking malware, and the NetWire RAT.
The fact that the hackers that breached the ammyy.com website distributed different malware versions in such a short period lets us believe the criminals used it as an infection platform and sold access to other groups.
The concept of malware-as-a-service is not new, but you don't get to see it on a regular basis.
The large amount of banking trojans distributed through the website may have something to do with the fact that Ammyy Admin is usually used inside large enterprises for debugging purposes.
ESET claims that the ammyy.com is now clean and does not distribute the malicious version of the Ammyy Admin software.