Cerber is the seventh different malware variant distributed by the Ammyy Admin website in the past year

Sep 15, 2016 10:55 GMT  ·  By

The website of the Ammyy Admin remote desktop management tool has been compromised to spread malware for the God-knows-what time in the past year.

Softpedia detected that something was wrong after we started receiving worrisome comments from our readers on two articles detailing past infections of the Ammyy Admin website.

  [D]ownloaded the ammyy remote onto two PCs this morning, now both Pcs files have been encrypted. I know it is ammyy website because on the new PC it was the only website I have been on, there is no emails yet on this PC  

  I was infected too on this site. Just finished wiping my system for some sort of ransomware. STAY AWAY  

When we received the comments, Softpedia immediately contacted Lawrence Abrams of Bleeping Computer and ran some tests to replicate the infection and see what was happening.

All tests came back negative, but today, security researcher MalwareHunterTeam told Softpedia that our efforts were in vain because the site reverted to delivering its clean installer at around 6-8 PM UTC yesterday evening.

Ammyy Admin website compromised for at least two days

The contaminated Ammyy Admin file MalwareHunterTeam managed to obtain had been uploaded on VirusTotal 20 times by 19 different people, between 2016-09-14 07:47:04 and 2016-09-15 06:50:39.

Some users have the habit of double-checking downloaded files by scanning them using VirusTotal. The period above is most likely the interval during which the website had been compromised, and some of its users had scanned the file.

A hybrid analysis of the file reveals a binary called "encrypted.exe" packed with the original AA_v3.exe, the legitimate installer. Every user running the installer would also run this file, which installs the Cerber ransomware.

Ammyy Admin website serving latest version of the Cerber ransomware

Cerber, which appeared at the start of the year, had several major branches, some of which were cracked and security researchers created a free decrypter to help victims recover their files.

The version distributed via the Ammyy Admin installer packs the latest v3 version that locks files via the .cerber3 extension. This version is uncrackable, at the time of writing.

Cerber 3 ransom note
Cerber 3 ransom note

MalwareHunterTeam also tells Softpedia that he didn't inform the website admin of the compromise and that it stopped on its own. Either the crooks realized they were exposed or they're just preparing another version of the Ammyy installer that would spread other types of malware.

Ammyy Admin website has spread at least six other types of malware

In the past, both ESET and Kaspersky have put out reports about how the site was used to spread all sorts of malware, such as the Ranbyus, Lurk and Buhtrap banking trojans, the CoreBot and Fareit infostealers, and the NetWire RAT.

ESET reported that the Ammyy Admin website spread malware in October and November 2015, while Kaspersky reported numerous similar incidents that took place between February to July 2016.

Softpedia has reached out to Ammyy Admin's team for additional comments. At the time of writing, even if Ammyy Admin downloads are clean, we can't vouch that they'll stay this way, taking into account the website's track record.

Some other users have also noticed the large number of times this website has been hacked and are expressing their personal views that this is more than just a coincidence.

UPDATE [September 18, 2016]: Softpedia has received an answer from Ammyy's admins following our report that the site hosts malware. Our email went directly into an automatic support ticketing system. The response came days after our initial email, so it's likely not automated, but a real person answering. The response we got was "Hello. Send us the license number please."

We remind you that Ammyy is offered as a free download. This lack of a professional response to a serious security incident tells us that the site owners either don't care, or are aware of what's happening via their website. In the meantime, we received new tips about recent infections via Ammyy Admin.  

Photo Gallery (3 Images)

Ammyy Admin website
Cerber 3 ransom noteAmmy staff response
Open gallery