Amadey malware spreads via software cracks laced with SmokeLoader

Operators behind the Amadey Bot malware use the SmokeLoader to distribute a new variant via software cracks and keygen sites.

Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. The malware is available for sale in illegal forums, in the past, it was used by cybercrime gangs like TA505 to install GandCrab ransomware or the FlawedAmmyy RAT.

ASEC researchers recently discovered that Amadey malware is being distributed by SmokeLoader which is hidden in software cracks and serial generation programs available on multiple sites.

SmokeLoader acts as a loader for other malware, once it is executed it will inject Main Bot into the currently running explorer process (explorer.exe) and downloads the Amadey malware on the system.

When the Amadey malware is executed, it copies itself to the Temp path ” %TEMP%\9487d68b99\bguuwe[.]exe” then, it registers the folder as a startup folder to maintain persistence. It also supports a feature to register itself to Task Scheduler for the same purpose.

Then the malware contacts the C2 and sends system information (i.e. computer name, user name, OS version, architecture type, list of installed anti-malware products) to the operators.

In turn, the server responds by providing instructions to download additional plugins and info-stealer malware such as RedLine.

The latest version of the Amadey malware analyzed by the experts is version 3.21, it is able to check the following antimalware products:

Anti-malware Name	Number
X	0
Avast Software	1
Avira	2
Kaspersky Lab	3
ESET	4
Panda Security	5
Dr. Web	6
AVG	7
360 Total Security	8
Bitdefender	9
Norton	10
Sophos	11
Comodo	12
Windows Defender (assumed)	13

Amadey leverages the ‘FXSUNATD.exe’ tool to install payloads with UAC bypassing and performs elevation to admin via DLL hijacking.

The list of information stolen by the malware includes emails, FTPs, VPN clients, etc. The info-stealing plug-in is able to target the following software:

Mikrotik Router Management Program Winbox
Outlook
FileZilla
Pidgin
Total Commander FTP Client
RealVNC, TightVNC, TigerVNC
WinSCP

“Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.