A criminal gang recently found an effective way to spread malware that drains online bank accounts. According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download.
The legitimate tool is known as Ammyy Admin and is used to provide remote access to a computer so someone can work on it even when they don’t have physical access to it. According to Monday’s blog post, members of a criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website.
What resulted was a highly effective means for distributing the banking trojan. That’s because the legitimate tool Ammyy provided was in many ways similar to the banking trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained: