Cyber Incident Victim: Ammyy
Date:
Jun 2018
Location:
Russia
Summary
The official website of a remote administration tool was compromised to distribute malware-infected versions of its software, bundling a multipurpose Trojan designed to steal sensitive files including cryptocurrency credentials and monitor processes related to financial and remote management applications. Attackers disguised their command-and-control server using a FIFA World Cup-themed domain, echoing a prior compromise of the same site. The malware, identified as a variant of Win32/Kasidet, targeted filenames containing passwords or wallet data and reported running applications associated with cryptocurrencies and remote access tools. The incident persisted for approximately two days, with payload obfuscation techniques altered multiple times to evade detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 13 and 14, 2018, the official website for Ammyy Admin, ammyy.com, was compromised to distribute malware-infected versions of its remote administration software. ESET researchers first detected the compromise shortly after midnight on June 13, with the malicious activity persisting until the morning of June 14. Users who downloaded the software during this period received a modified installer file named AA_v3.exe, which bundled the legitimate Ammyy Admin application with a malicious executable called Ammyy_Service.exe. This file contained Win32/Kasidet, a multipurpose banking Trojan and bot sold in underground markets. The malware was designed to search for and exfiltrate files containing cryptocurrency credentials, targeting filenames such as "bitcoin," "wallet.dat," and "passwords.txt." It also monitored running processes for keywords related to cryptocurrency wallets, remote administration tools like Radmin and MSTSC, and secure file transfer clients including WinSCP and PuTTY, reporting these findings to a command-and-control server.
The attackers used a FIFA World Cup-themed domain, hxxp://fifa2018start[.]info/panel/tasks.php, as their C&C server, leveraging the global event to disguise malicious network traffic. This incident mirrored a 2015 compromise of the same website, where the Buhtrap group distributed malware through Ammyy’s installer. In both cases, attackers employed identical filenames for the malicious payload (Ammyy_Service.exe) and exploited SmartInstaller to repackage the legitimate software. During the 2018 attack, the payload’s obfuscation changed three times to evade detection, though ESET systems identified only the Win32/Kasidet variant. The malware’s primary impact involved credential theft targeting cryptocurrency users and unauthorized system surveillance. ESET notified Ammyy of the compromise and publicly disclosed the incident, advising affected users to scan their systems with updated security software. Ammyy Admin’s history of misuse by threat actors had previously led security vendors, including ESET, to classify it as a Potentially Unsafe Application, though it remained widely used in Russia. No additional containment measures or responses from Ammyy were detailed in the report.