Amadey malware spreads via software cracks laced with SmokeLoader

Operators behind the Amadey Bot malware use the SmokeLoader to distribute a new variant via software cracks and keygen sites.

Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. The malware is available for sale in illegal forums, in the past, it was used by cybercrime gangs like TA505 to install GandCrab ransomware or the FlawedAmmyy RAT.

ASEC researchers recently discovered that Amadey malware is being distributed by SmokeLoader which is hidden in software cracks and serial generation programs available on multiple sites.

SmokeLoader acts as a loader for other malware, once it is executed it will inject Main Bot into the currently running explorer process (explorer.exe) and downloads the Amadey malware on the system.

When the Amadey malware is executed, it copies itself to the Temp path ” %TEMP%\9487d68b99\bguuwe[.]exe” then, it registers the folder as a startup folder to maintain persistence. It also supports a feature to register itself to Task Scheduler for the same purpose.

Then the malware contacts the C2 and sends system information (i.e. computer name, user name, OS version, architecture type, list of installed anti-malware products) to the operators.

In turn, the server responds by providing instructions to download additional plugins and info-stealer malware such as RedLine.

The latest version of the Amadey malware analyzed by the experts is version 3.21, it is able to check the following antimalware products:

Anti-malware Name	Number
X	0
Avast Software	1
Avira	2
Kaspersky Lab	3
ESET	4
Panda Security	5
Dr. Web	6
AVG	7
360 Total Security	8
Bitdefender	9
Norton	10
Sophos	11
Comodo	12
Windows Defender (assumed)	13

Amadey leverages the ‘FXSUNATD.exe’ tool to install payloads with UAC bypassing and performs elevation to admin via DLL hijacking.

The list of information stolen by the malware includes emails, FTPs, VPN clients, etc. The info-stealing plug-in is able to target the following software:

• Mikrotik Router Management Program Winbox
• Outlook
• FileZilla
• Pidgin
• Total Commander FTP Client
• RealVNC, TightVNC, TigerVNC
• WinSCP

“Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]