Cybercriminals have been relying on the watering hole attack for many years as a consistent method for getting their malware onto victims’ machines. Recently, security researchers discovered that one group of attackers had compromised the site of a legitimate software company and found a way to insert their banking Trojan’s code into the company’s own downloader.
The operation targeted a company called Ammyy, which produces a remote desktop administration tool known as Ammyy Admin. While in the process of looking at a banking Trojan called Lurk earlier this year, researchers at Kaspersky Lab found that many users who had been targeted by Lurk also had Ammyy Admin on their machines. After a little more digging, the researchers concluded that the crew behind Lurk had been able to compromise the Ammyy site and backdoor the downloader for Admin so that it included the malware.
“In other words, the Ammyy Admin installer available for download on the manufacturer’s official website is basically a dropper Trojan designed to stealthily install a malicious program in the system, while displaying a screen mimicking the installation of legitimate software. We found out that the dropper was being distributed on a regular basis (with short breaks) over several hours on weekdays,” Vasily Berdnikov of Kaspersky wrote in an analysis of the attack.
Watering hole attacks are effective in targeting specific user groups
The first time the researchers noticed the compromise was in February, and they notified Ammyy officials, who removed the malware, only to see it return several more times. Recently, the attackers were able to compromise the Ammyy site again and have begun distributing a different piece of malware with slightly different functionality.
“In early April, the cybercriminals uploaded a new, slightly modified dropper for distribution. At launch, it used the function GetComputerNameExA to check if the computer being infected was part of a corporate network; if so, it launched the Lurk malicious program along with the remote administration tool. This shows that the cybercriminals were specifically hunting for corporate workstations and servers,” Berdnikov said.
The kind of attack that hit Amy’s site is typical of operations that a wide range of cybercrime groups use to distribute malware. They’re effective in targeting specific user groups, especially if the attackers can compromise a specialized site or one that caters to a specific type of visitor. Even some of the highest level attacker groups use this technique as it allows for precise victim selection. Berdnikov said the group behind Lurk may be working with other crews now.
“Interestingly, on June 1 the content of the dropper changed. On that very day, it was reported that the creators of Lurk had been arrested, and the website began distributing a new malicious program, Trojan-PSW.Win32.Fareit, in place of Lurk; this new Trojan was also designed to steal personal information. This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com,” he said.