Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Amadey malware pushed via software cracks in SmokeLoader campaign
#1
https://www.bleepingcomputer.com/news/se...-campaign/    Amadey malware pushed via software cracks in SmokeLoader campaign
By Bill Toulas
July 24, 2022 12:11 PM        A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.

Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads.

While its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still very active SmokeLoader malware.

This is a departure from Amadey's reliance on the Fallout, and the Rig exploit kits, which have generally fallen out of popularity as they target dated vulnerabilities.

New Amadey campaign
SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen. As it is common for cracks and key generators to trigger antivirus warnings, it is common for users to disable antivirus programs before running the programs, making them an ideal method of distributing malware.

Upon execution, it injects "Main Bot" into the currently running (explorer.exe) process, so the OS trusts it and downloads Amadey on the system.

Once Amadey is fetched and executed, it copies itself to a TEMP folder under the name 'bguuwe.exe' and creates a scheduled task to maintain persistence using a cmd.exe command.

Amadey installation details
Amadey installation details (ASEC)
Next, Amadey establishes C2 communication and sends a system profile to the threat actor's server, including the OS version, architecture type, list of installed antivirus tools, etc.

In its latest version, number 3.21, Amadey can discover 14 antivirus products and, presumably based on the results, fetch payloads that can evade those in use.

The server responds with instructions on downloading additional plugins in the form of DLLs, as well as copies of additional info-stealers, most notably, RedLine ('yuri.exe').

Fetching RedLine from the C2 server
Fetching RedLine from the C2 server (ASEC)
The payloads are fetched and installed with UAC bypassing and privilege escalation. Amadey uses a program named 'FXSUNATD.exe' for this purpose and performs elevation to admin via DLL hijacking.

Also, the appropriate exclusions on Windows Defender are added using PowerShell before downloading the payloads.

PowerShell exclusions and the auto-elevate
PowerShell exclusions and the auto-elevate (ASEC)
Moreover, Amadey captures screenshots periodically and saves them in the TEMP path to be sent to the C2 with the next POST request.

POST request exfiltrating screenshots
POST request exfiltrating screenshots (ASEC)
One of the downloaded DLL plugins, 'cred.dll,' which is run through 'rundll32.exe,' attempts to steal information from the following software:

Mikrotik Router Management Program Winbox
Outlook
FileZilla
Pidgin
Total Commander FTP Client
RealVNC, TightVNC, TigerVNC
WinSCP
Of course, if RedLine is loaded onto the host, the targeting scope is expanded dramatically, and the victim risks losing account credentials, communications, files, and cryptocurrency assets.

To stay clear from the danger of Amadey Bot and RedLine, avoid downloading cracked files, software product activators, or illegitimate key generators that promise free access to premium products.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New SEO Poisoning Campaign Distributing Trojanized Versions of Popular Software Imran 0 748 02-03-2022 , 01:56 PM
Last Post: Imran
  Antivirus Software Flagging Dell Drivers as Malware mrtrout 0 1,137 11-12-2020 , 04:14 AM
Last Post: mrtrout
  New iPhone Security Alert: ‘iPhone Only’ Krampus-3PC Malware Campaign Confirmed dhruv2193 0 1,434 12-13-2019 , 03:58 PM
Last Post: dhruv2193
  New Malware Campaign Targets US Petroleum Companies dhruv2193 0 4,439 10-03-2019 , 08:08 AM
Last Post: dhruv2193
  Malware campaign that turns PC's into "Zombie Proxies" dhruv2193 0 1,118 09-30-2019 , 07:58 AM
Last Post: dhruv2193

Forum Jump:


Users browsing this thread: 1 Guest(s)