A newer version of Amadey bot has been spreading in a SmokeLoader malware campaign. The attackers behind this campaign are using software cracks and keygen sites as bait to lure their victims.

Amadey with a new campaign 

Researchers from AhnLab disclosed a new version of Amadey being spread with SmokeLoader malware. Earlier, the bot relied on the Fallout and the Rig exploit kits.
  • Often users disable antivirus programs before running software cracks or accessing fake sites, which helps in spreading the SmokeLoader malware.
  • Researchers noted that SmokeLoader injects Amadey bot via the explorer browser process. Since this process is trusted by the OS, it gets through the security checks and downloads Amadey.
  • Subsequently, Amadey copies itself to a TEMP folder under the name bguuwe[.]exe. It creates a scheduled task for persistence using the cmd[.]exe command.

Amadey’s capabilities

Once Amadey makes a C2 communication, it sends the system profile to the attacker’s server, including details such as the OS version, architecture type, and a list of installed antivirus tools.
  • The latest version of Amadey has the ability to identify 14 antivirus products and, as expected based on the results, downloaded payloads are capable of avoiding those in use.
  • Further, the exclusion on Windows Defender is added using PowerShell before fetching payloads. 
  • The payloads are installed via privilege escalation, using the UAC bypass technique. The bot uses a program FXSUNATD[.]exe for this, which performs DLL hijacking to elevate the privilege.

Additional details

Researchers noted that the bot captures screenshots at regular intervals and stores them in the TEMP path to be sent to the C2.
  • Further, the attacker’s servers respond with instructions regarding downloading more plugins in the form of DLLs, along with copies of additional info-stealers, such as RedLine (yuri[.]exe).
  • One of the downloaded DLL plugins (cred[.]dll) steals information from multiple software, Outlook, FileZilla, Pidgin, RealVNC, TightVNC, TigerVNC, WinSCP, Total Commander FTP Client, and Winbox.

What to Do?

The best and easiest way to stay protected from such threats (e.g. Amadey Bot and RedLine) is to avoid downloading cracked files. Additionally, always avoid downloading software product activators or any other sort of illegitimate key generators that offer free access to premium products.
Cyware Publisher