Undetected cerber3 in ammyy setup

[Guillaume Durand]

I would like to report that I was hit by a cerber3 ransomware variant embedded in the currently available ammyy setup. Ammyy is a remote control software, such as VNC or Teamviewer, and their site was visibly hacked recently because their setup was repacked as a virus deployer and it is not detected by most antiviruses. The malicious setup is not detected, but worse still, the deployed viral exe is not either.
Some antiviruses detect the setup as being a RemoteAdmin, but as Ammy is a remote admin tool, you will of course allow the execution, and the setup will deploy and run the virus. Very astute way to ensure the antivirus is bypassed.
Once you launch the setup, the file encrypted.exe is deployed into <local settings>\temp along the legit Ammyy setup and both are executed. Then the ransomware starts encrypting your data.
Now a HIPS soft may help with this, but if the hackers are not too stupid they would name the exe video_helper_driver64.exe or whatever may seem a legit Ammyy companion and then you would allow it to run.
Note that the legit setup is signed by the company and the repacked setup is not.

I submitted the malicious setup to some AV sites, explaining the false detection problem, but they use automated analysis and just report a RemoteAdmin threat, so I'm not sure they'll investigate further to discover how cerber3 can be embedded in there.

The malicious setup, sometimes detected as RemoteAdmin: Antivirus scan for 5b13f477c35822e4ba55dfb3d0d99677e1d50dabc78035970104540255df8ec3 at 2016-09-13 12:54:09 UTC - VirusTotal
The deployed ransomware: https://www.virustotal.com/en/file/...3efa7ec5e6f32ee9e500a7394e3daf7a916/analysis/

As a side note I tried Comodo AV and IS in a VM and only AV warned me about Ammyy being a possible RemoteAdmin threat. I find strange that they don't have the same behaviour, but perhaps it's because I tested on Windows XP and some OS features are not available. Also Avira did not find a thing although the virustotal reports show otherwise.

 

[LabZero]

Can you upload the setup on Malwr and post the report, so we can check for any dropped files?

 

[askmark]

This makes me relieved to know I block all access to the ammyy web site from our company firewalls.
We had someone social engineer a store manager to download this software onto one of our PC's, lucklily the manager smelt a rat and didn't go as far as install it- ever since then it's been blocked.

 

[Guillaume Durand]

the malicous setup: Malwr - Malware Analysis by Cuckoo Sandbox
the deployed ransomware: https://malwr.com/analysis/NWZhMTU3M2YwMWI3NDNkMDk4YmE3M2U1NWQyNzVmN2I/

 

[Guillaume Durand]

@askmark: this hack is very recent (a few days), and we used this software with no problem until now. They just had the bad luck to have a security breach on their server.

And BTW I think their whole system was taken over because I opened a ticket on their system and 3 days later I received this answer "Please can you give us the license number". Extremely suspicious.

 

[LabZero]

Thanks, Malwr report seems to confirm it. It also uses the same range of IP addresses and many ICMP packets are sent to IP addresses in this range.

 

[askmark]

@askmark: this hack is very recent (a few days), and we used this software with no problem until now. They just had the bad luck to have a security breach on their server.

And BTW I think their whole system was taken over because I opened a ticket on their system and 3 days later I received this answer "Please can you give us the license number". Extremely suspicious.

Yes, that is either very unlucky, or Ammyy didn't have adequate (any??) protection in place to prevent their web site being compromised.

Ammyy is a very high profile remote admin tool, so one would hope the security of the their site was appropriately high.

 

[LabZero]

Yes, that is either very unlucky, or Ammyy didn't have adequate (any??) protection in place to prevent their web site being compromised.

Ammyy is a very high profile remote admin tool, so one would hope the security of the their site was appropriately high.

Ammyy devs do not seem to be much competent in solving these recurrent attacks and probably is not more the case of trust them!

 

[shmu26]

a cursory visit to the site gives the impression that it is very antiquated and looks like a sitting duck.

 

[Der.Reisende]

This is an alarming find, thank you @Guillaume Durand for sharing both the links to Malwr.com (including the option to get hold of the payload) as well as your experience. I hope it was ok to gather the files for a quick test

Good news so far, as Bitdefender has a signature for the ransomware payload.

EDIT: Added Update screenshot. @LabZero thank you, with pleasure

Spoiler: Screenshots

 

[LabZero]

This is an alarming find, thank you @Guillaume Durand for sharing both the links to Malwr.com (including the option to get hold of the payload) as well as your experience. I hope it was ok to gather the files for a quick test

Good news so far, as Bitdefender has a signature for the ransomware payload.

Spoiler: Screenshots

View attachment 115461 View attachment 115462

Thank you for the quick test, useful!

 

[shmu26]

an anti-exe program would not protect against this kind of attack. Since you downloaded it from the official site, you would trust it and run it.
You need anti exploit/behavior blocker for this kind of thing.

 

[askmark]

an anti-exe program would not protect against this kind of attack. Since you downloaded it from the official site, you would trust it and run it.
You need anti exploit/behavior blocker for this kind of thing.

It would be interesting to know whether Voodooshield Pro would have detected this with it's VoodooAi.

 

[shmu26]

It would be interesting to know whether Voodooshield Pro would have detected this with it's VoodooAi.

even if so, after having downloaded a known and trusted product from an official site, I think most users would consider it safe to run.

 

[askmark]

even if so, after having downloaded a known and trusted product from an official site, I think most users would consider it safe to run.

Well, I don't think I'd be inclined to run it...

 

[Sumit Verma]

I suffered the same issue yesterday, all the files are encrypted including excel and word documents.

Is there any way out apart from paying them?

 

[_CyberGhosT_]

even if so, after having downloaded a known and trusted product from an official site, I think most users would consider it safe to run.

This is a hard subject, but I agree the site looks dated and unsafe, I myself would not download from there, seeing what this tool is for, I would be hyper alert too.
I have had cause to use TeamViewer on occasion and even that software once I am done is removed from my system.
Reguardless of the protection software employed, this is where an experienced eye and common sense are as equally important
as a solid config, weather your a home or business user. I am very surprised an experienced user would download from that site.
Great share all.
PeAcE

 

[_CyberGhosT_]

Well, I don't think I'd be inclined to run it...

View attachment 115466

I have mine set to deny at only "3" that thing had 12 hits, no way in hell I would have run that.
Thanks Mark

 

[askmark]

I have mine set to deny at only "3" that thing had 12 hits, no way in hell I would have run that.
Thanks Mark

Do you have the setting "Automatically allow by parent process.." enabled? I'm not sure what would have happened if this was on.

I have always deselected this option because I don't trust anything

 

[_CyberGhosT_]

Do you have the setting "Automatically allow by parent process.." enabled? I'm not sure what would have happened if this was on.

I have always deselected this option because I don't trust anything

Thats a very good point and No i too have that option disabled, I would suspect any advanced user
would know to disable that, a novice user may not know. Thanks for asking