hacker-smoke

A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.

Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads.

While its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still very active SmokeLoader malware.

This is a departure from Amadey's reliance on the Fallout, and the Rig exploit kits, which have generally fallen out of popularity as they target dated vulnerabilities.

New Amadey campaign

SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen. As it is common for cracks and key generators to trigger antivirus warnings, it is common for users to disable antivirus programs before running the programs, making them an ideal method of distributing malware.

Upon execution, it injects "Main Bot" into the currently running (explorer.exe) process, so the OS trusts it and downloads Amadey on the system.

Once Amadey is fetched and executed, it copies itself to a TEMP folder under the name 'bguuwe.exe' and creates a scheduled task to maintain persistence using a cmd.exe command.

Amadey installation details
Amadey installation details (ASEC)

Next, Amadey establishes C2 communication and sends a system profile to the threat actor's server, including the OS version, architecture type, list of installed antivirus tools, etc.

In its latest version, number 3.21, Amadey can discover 14 antivirus products and, presumably based on the results, fetch payloads that can evade those in use.

The server responds with instructions on downloading additional plugins in the form of DLLs, as well as copies of additional info-stealers, most notably, RedLine ('yuri.exe').

Fetching RedLine from the C2 server
Fetching RedLine from the C2 server (ASEC)

The payloads are fetched and installed with UAC bypassing and privilege escalation. Amadey uses a program named 'FXSUNATD.exe' for this purpose and performs elevation to admin via DLL hijacking.

Also, the appropriate exclusions on Windows Defender are added using PowerShell before downloading the payloads.

PowerShell exclusions and the auto-elevate
PowerShell exclusions and the auto-elevate (ASEC)

Moreover, Amadey captures screenshots periodically and saves them in the TEMP path to be sent to the C2 with the next POST request.

POST request exfiltrating screenshots
POST request exfiltrating screenshots (ASEC)

One of the downloaded DLL plugins, 'cred.dll,' which is run through 'rundll32.exe,' attempts to steal information from the following software:

  • Mikrotik Router Management Program Winbox
  • Outlook
  • FileZilla
  • Pidgin
  • Total Commander FTP Client
  • RealVNC, TightVNC, TigerVNC
  • WinSCP

Of course, if RedLine is loaded onto the host, the targeting scope is expanded dramatically, and the victim risks losing account credentials, communications, files, and cryptocurrency assets.

To stay clear from the danger of Amadey Bot and RedLine, avoid downloading cracked files, software product activators, or illegitimate key generators that promise free access to premium products.

Update 8/17/22: RealVNC head of security, Ben May, shared the following comment with Bleeping Computer:

Once Amadey gained Administrator privileges on a machine, the malware will extract config/credentials from various software it detects (including RealVNC). As is often the case, something with Administrator level access can view/modify most things on a computer.

By default, unlike our competitors, RealVNC’s VNC Server uses Windows credentials as the authentication mechanism, which means there are no credentials stored in the Registry for the Amadey malware to extract. However, this only applies to paid subscriptions.

Related Articles:

Hackers poison source code from largest Discord bot platform

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

Facebook ads push new Ov3r_Stealer password-stealing malware

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

New AcidPour data wiper targets Linux x86 network devices