Attackers compromised the official website of Ammyy Admin and made to serve a malicious version of Ammyy Admin instead of the legitimate one and use FIFA World Cup trend to hide their malicious activity.
It appears the infected file served from the legitimate site between June 13 or 14, like the October 2015 incidents where the Ammyy Admin served with malicious codes linked with cybercrime group Buhtrap.
Security researches from ESET spotted the issue on June 13 midnight and it as was notified Ammyy.
Ammyy Admin and Kasidet bot
Users who download the Ammyy Admin between June 13 or 14 also received a multipurpose Trojan and banking malware dubbed Kasidet bot.
Kasidet bot sold in various underground hacking forums and it was detected with the Ammyy[.]com between June 13 or 14.
It is capable of stealing files that contains password and data related to cryptocurrency wallets and accounts of the victims. It looks for the following file types(bitcoin, pass.txt, passwords.txt, wallet.dat) and if it got matching file type it masks and sends them to C&C server.
Attackers used FIFA World Cup based domain fifa2018start[.]info/panel/tasks[.]php to hide their malicious network communication.
ESET researchers believe “the attack is related to 2015 attack, attackers were misusing ammyy.com to serve numerous malware families, changing them on an almost daily basis. In the 2018 case, ESET systems detected only Win32/Kasidet, however, the obfuscation of the payload changed on three occasions, probably to avoid detection by security products.”
Here you can find the analysis Analysis report and IoCs.
Also Read
Beware of FlawedAmmyy RAT that Steals Credentials and Record Audio Chat
Beware!! Google Map Vulnerability Allows an Attacker to Redirect Victims into Malicious Websites
Powerful APT Malware “Slingshot” Performs Highly Sophisticated Cyber Attack to Compromise Router
