Legitimate software website was seen distributing malware (Jul 22, 2016)


The Sonicwall Threat Research team has received reports of a trojan bundled with a legitimate remote desktop tool. Cybercriminals found a way to slip Lurk Trojan with Ammyy Admin program and distribute this malicious application via software downloads through the company’s official website. This is not the first time the Ammyy Admin website has been comprised. In the past year, it has been reported to distribute different malware families through malware-laced copies of their installers hosted on the company’s website.

Infection Cycle:

The infected copy is an NSIS packaged installer that upon execution will extract and execute the legitimate Ammyy admin installer along with the Trojan installer.

Figure 1: NSIS packaged installer extracts the legimitate and malicious programs

The Trojan installer AmmyySvc.exe has file properties that resembles a legitimate program:

Figure 2: AmmyySvc.exe file properties

Upon execution of the malicious exe, it drops a DLL file in the following directory:

  • %temp%/19B.tmp

This file also has legitimate-looking file properties:

Figure 3: 19B.tmp DLL file properties

It also lists the following fake export functions:

Figure 4: Fake DLL Export functions
Figure 4: Fake DLL Export functions

When in reality, none of these export functions are used by the program, and it is registered through DllRegisterServer with regsvr32.exe.

Figure 5: AmmyySvc.exe spawns regsvr32.exe to register the malicious DLL component

The Trojan checks the basic settings of the infected systems and scours the registry to possibly understand what methods can be used to gain access, if the machine is part of a network or to learn how to circumvent security settings:

Figure 6: AmmyySvc.exe checks for Internet Settings and System Policies

Figure 7: AmmyySvc.exe checks for Internet feature control settings

It also gathers information such as the computer name and web browsing history information including URLs visited, cookies created and files that were downloaded in the cache.

Figure 8: Lurk Trojan reads the victim machine’s computer name

Figure 9: Lurk Trojan checks the victim machine’s web history

Figure 10: Lurk Trojan checks the victim machine’s cookies

It also tried to make the following connections to a remote server but it was already taken down at the time of our analysis:

Figure 11: Lurk Trojan connects to bandgap75r.com

This example of a watering hole attack, where malware authors target unsuspecting visitors to the Ammyy Admin official website, is a very effective way to distribute malicious software and infect their target. Victims will likely trust installers that were downloaded from a presumably safe source. Ammyy Admin has since cleaned up their website and no longer distributes the malicious installer, but given that their website has previously been compromised multiple times, we urge our users to be doubly cautious when downloading and executing installer from their website.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Lurk.A_2 (Trojan)
  • GAV: Lurk.A_3 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.