Ammyy Admin Website Hacked to Deliver Cerber 3 Ransomware

The Ammyy Admin tool that is used for remote desktop management has had it’s website hacked to deliver Cerber 3 ransomware to unsuspecting users.

Cerber 3 ransomware feature logo

Ammyy Admin Hacked Again, This Time Delivers Cerber 3 Ransomware

Internet journalists have noticed that something is wrong with the website of one of popular remote desktop management solutions- Ammyy Admin. Hackers have breached the site’s security and have used it to place malicious Cerber 3 ransomware executables. The investigation was conducted after several user reports have stated that the malware has been activated on their system soon after downloading the system utility.

The site has been compromised for at least two days before the administrators removed the malicious code. The downloaded file contains a binary executable called encrypted.exe that is packed with the legitimate installer of the program. Upon each execution, the Cerber 3 ransomware is installed on the system.

The bundled Cerber is not that different from all other variants that have been identified so far. It deletes the Shadow Volume Copies to prevent file recovery using specialized software solutions. User files can be transmitted to the remote C&C servers and Cerber can manipulate the keyboard and record the input key strokes. The ransomware spawns its process and is able to view and manipulate certain system configuration variables.

The contaminated files were submitted 20 times by 19 different users 2016-09-14 07:47:04 and 2016-09-15 06:50:39. Presumably, this was the main time period when the infection was active on the web server.

The criminals have utilized the latest version of the Cerber ransomware. As of this time, there are no decryption utilities available. Ammyyy Admin’s site has been hacked numerous times before and has spread at least six other types of Trojans. This includes banking Trojans and keyloggers.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The site restored the legitimate and virus-free files around 6-8 PM UTC yesterday.

About Ammyy Admin

Ammyy Admin is a computer application that allows remote desktop connection to be made using an easy to use client. This is a feature that is popular with business users to control their business workstations and work with private files without downloading them to unsecured storage.

The fact that the site has been compromised does not mean that the product itself has been compromised. However there are two possibly disturbing scenarios that we have to point out:

  • If the site hosts account credentials in a database or another type of information repository, the attackers might use it in social engineering and phishing attacks. The spam email messages can be personalized using the harvested information from the hacked site
  • If the hacked site contains actual product source code it can be used to create counterfeit versions of the application that can infect the victims with various types of malware
  • The hackers can substitute the download links to third-party and potentially dangerous software

Was this content helpful?


Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Leave a Reply

Your email address will not be published. Required fields are marked *