Criminals have found a very effective way of planting banking malware and draining accounts.
Criminals are always on the lookout for new methods of stealing money from unsuspecting hardworking people. A criminal gang has now found a way to put account-draining Trojan in systems. According to Kaspersky’s blog post published on Monday, the criminals hid the malicious executable malware in a file that is supposed to install a legitimate and very useful administrative tool called Ammyy Admin.
Ammyy Admin is a valid tool that gives users remote access to a computer so that it can be used when there is no physical access to the computer. According to the blog post, Lurk is the criminal group that managed to slip in the malicious spyware in the Ammyy Admin download file. It is somewhat difficult to explain how Lurk managed to meddle with the download file so that once installed Ammyy Admin stealthily executes the account draining malware. The criminals chances of success would not be so real had they not attacked the Ammyy web server. The group modified the PHP script running on the server so that they had control of the server.
The group thus came up with an efficient way of spreading banking Trojan to unsuspecting users. The efficacy of the banking Trojan is increased by the fact that the malware works the same way the administrative tool does; they both provide remote access to a computer.
According to researchers from Kaspersky Lab this type of attack, known as Watering Hole, is very efficient and dangerous especially if it used to target users of a remote administrative application or software. It is possible for computer antivirus to detect the malware. However, almost all administrators will dismiss the alert and allow the suspicious malware activity. Allowing the malicious activity or even adding it to the exemption list will infect the computer. From the moment the computer is infected, the attacker will gain access to the computer whenever they want. One can only imagine the confidential information criminals can access from the comfort of their layers.
According to Kaspersky, the Ammyy web server has been attacked severally in the past. The company had only recently removed the same malicious code from their site early this year. It seems Lurk has found a way to attack their server again. Last month, Lurk was completely shut down by the law. Even then, Ammyy site managed to distribute another malicious malware that had nothing to do with Lurk.
Website infections of this magnitude have far-reaching consequences. Such sites should not be trusted.