Amadey Malware was Distributed via Software Cracks in the SmokeLoader Campaign

Amadey Malware was Distributed via Software Cracks in the SmokeLoader Campaign

By exploiting software cracks and keygen sites as enticements, the SmokeLoader virus spreads a new version of the Amadey Bot malware.

Amadey Bot is a malware strain that was first identified four years ago. It has the ability to conduct system reconnaissance, steal data, and load new payloads.

Despite the fact that it no longer spreads beyond 2020, Korean researchers at AhnLab claim that a new variant has appeared and is backed by the equally dated but still functioning SmokeLoader virus.

The Fallout and the Rig exploit kits, which have largely lost favor since they focus on outdated vulnerabilities, are no longer used by Amadey.

New Madey advertising

The victims voluntarily download and run SmokeLoader, which is disguising itself as a software crack or keygen. Cracks and key generators are an excellent way to spread malware since users frequently disable antivirus software before starting the apps because antivirus alarms are frequently triggered by cracks and key generators.

Upon execution, the program injects “Main Bot” into the currently running process, which allows the operating system to trust it and download Amadey on the system. When Amadey is fetched and executed, it creates a copy of itself in a TEMP folder under the name ‘bguuwe.exe’ and sets up a scheduled task to keep the copy running using a command prompt.

Next, Amadey establishes communication with the threat actor’s server, and sends the system profile including the OS version, architecture type, list of installed antivirus tools, etc. In its latest version, 3.21, Amadey can discover 14 antivirus products and, based on the results, potentially fetch payloads that can evade being used. The server responds to instructions to download additional plugins in the form of DLLs as well as copies of other info-stealers, most notably RedLine (‘yuri.exe’).

The payloads are fetched and installed without requiring user authentication and with elevated privileges. Amadey uses a program called FXSUNATD.exe to elevate their privileges. This is done by hijacking the DLLs used by the program. Also, the exclusions for Windows Defender are added using PowerShell before downloading the payloads. Moreover, Amadey captures screenshots periodically and saves them in the TEMP path for future transmission to the C2.

One of the downloaded DLL plugins, ‘cred.dll’, running on top of ‘rundll32.exe’ tries to steal information from the following software:

  • Mikrotik router management program Winbox
  • outlook
  • FileZilla
  • pidgin
  • Total Commander FTP client
  • RealVNC, TightVNC, TigerVNC
  • WinSCP

If RedLine is loaded onto the host, the targeting scope of the attack is greatly increased, and the victim may lose account credentials, communications, files, and cryptocurrency assets. To protect yourself from the danger of Amadey Bot and RedLine, avoid downloading cracked files, software product activators, or illegitimate key generators that promise free access to premium products.

Source

Share this on

Facebook
LinkedIn
Twitter
Pinterest
Email
WhatsApp
Telegram
Skype