A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.
Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads.
While its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still very active SmokeLoader malware.
This is a departure from Amadey’s reliance on the Fallout, and the Rig exploit kits, which have generally fallen out of popularity as they target dated vulnerabilities.
New Amadey campaign
SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen. As it is common for cracks and key generators to trigger antivirus warnings, it is common for users to disable antivirus programs before running the programs, making them an ideal method of distributing malware.
Upon execution, it injects “Main Bot” into the currently running (explorer.exe) process, so the OS trusts it and downloads Amadey on the system.
Once Amadey is fetched and executed, it copies itself to a TEMP folder under the name ‘bguuwe.exe’ and creates a scheduled task to maintain persistence using a cmd.exe command.
Next, Amadey establishes C2 communication and sends a system profile to the threat actor’s server, including the OS version, architecture type, list of installed antivirus tools, etc.
In its latest version, number 3.21, Amadey can discover 14 antivirus products and, presumably based on the results, fetch payloads that can evade those in use.
The server responds with instructions on downloading additional plugins in the form of DLLs, as well as copies of additional info-stealers, most notably, RedLine (‘yuri.exe’).
The payloads are fetched and installed with UAC bypassing and privilege escalation. Amadey uses a program named ‘FXSUNATD.exe’ for this purpose and performs elevation to admin via DLL hijacking.
Also, the appropriate exclusions on Windows Defender are added using PowerShell before downloading the payloads.
Moreover, Amadey captures screenshots periodically and saves them in the TEMP path to be sent to the C2 with the next POST request.
One of the downloaded DLL plugins, ‘cred.dll,’ which is run through ‘rundll32.exe,’ attempts to steal information from the following software:
Mikrotik Router Management Program Winbox
Outlook
FileZilla
Pidgin
Total Commander FTP Client
RealVNC, TightVNC, TigerVNC
WinSCP
Of course, if RedLine is loaded onto the host, the targeting scope is expanded dramatically, and the victim risks losing account credentials, communications, files, and cryptocurrency assets.
To stay clear from the danger of Amadey Bot and RedLine, avoid downloading cracked files, software product activators, or illegitimate key generators that promise free access to premium products.