Pierluigi Paganini
July 25, 2022
Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. The malware is available for sale in illegal forums, in the past, it was used by cybercrime gangs like TA505 to install GandCrab ransomware or the FlawedAmmyy RAT.
ASEC researchers recently discovered that Amadey malware is being distributed by SmokeLoader which is hidden in software cracks and serial generation programs available on multiple sites.
SmokeLoader acts as a loader for other malware, once it is executed it will inject Main Bot into the currently running explorer process (explorer.exe) and downloads the Amadey malware on the system.
When the Amadey malware is executed, it copies itself to the Temp path ” %TEMP%\9487d68b99\bguuwe[.]exe” then, it registers the folder as a startup folder to maintain persistence. It also supports a feature to register itself to Task Scheduler for the same purpose.
Then the malware contacts the C2 and sends system information (i.e. computer name, user name, OS version, architecture type, list of installed anti-malware products) to the operators.
In turn, the server responds by providing instructions to download additional plugins and info-stealer malware such as RedLine.
The latest version of the Amadey malware analyzed by the experts is version 3.21, it is able to check the following antimalware products:
| Anti-malware Name | Number |
| X | 0 |
| Avast Software | 1 |
| Avira | 2 |
| Kaspersky Lab | 3 |
| ESET | 4 |
| Panda Security | 5 |
| Dr. Web | 6 |
| AVG | 7 |
| 360 Total Security | 8 |
| Bitdefender | 9 |
| Norton | 10 |
| Sophos | 11 |
| Comodo | 12 |
| Windows Defender (assumed) | 13 |
Amadey leverages the ‘FXSUNATD.exe’ tool to install payloads with UAC bypassing and performs elevation to admin via DLL hijacking.
The list of information stolen by the malware includes emails, FTPs, VPN clients, etc. The info-stealing plug-in is able to target the following software:
“Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
