On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email.
- KISA security notice: https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=66958
The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program, which prompts ordinary users to launch it.
Upon initial execution of the kakaotalk_update.exe malware which is seen to have been attached to emails, it runs recursion on the process and injects itself into the process. The injected process connects to the C2 server and downloads a zip file with additional compressed malware to a shared folder path, before executing the following command.
- cmd.exe /c rundll32.exe “C:\users\public\srms.dat” Run
- cmd.exe /C timeout /t 5 /nobreak & Del /f /q “C:\Users\[Username]\Desktop\kakaotalk_update.exe”
The downloaded and executed file with the name of “srms.dat” is a dropper (See Figure 3) that creates a DLL that behaves as the AmadeyBot malware.
Afterward, using rundll32.exe, it creates and runs the AmadeyBot with the filename “tapi32.dll” as shown below, then deletes itself.
- rundll32.exe “C:\users\public\348520\tapi32.dll”,Run
- rundll32.exe “C:\users\public\348520\tapi32.dll”,Start
- cmd.exe /C timeout /t 5 /nobreak & Del /f /q “C:\users\public\srms.dat”
As shown in Figure 7, the executed Amadey Bot transmits information from the user PC including the infected system’s ID, Amadey version, admin privilege status, architecture, Windows version, PC name, and username to the C2 server.
Detailed analysis on the Amadey Bot malware can be found in the following ASEC blog posts.
- Amadey Bot Being Distributed Through SmokeLoader (Link)
- [Warning] ‘Amadey’ Malware Targeting Korean Cryptocurrency Companies (Link)
AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.
– Downloader/Win.Amadey.R5282269 (2022.10.17.03)
– Trojan/Win.Amadey.C5282244 (2022.10.17.03)
– Dropper/Win.Amadey.C5282248 (2022.10.17.03)
– 0184b0f6403420f7134a3e4a37498754 (Initial downloader)
– 00a7588c41c5a1183f098901d30df09a (Additional dropper)
– ccd5a8f11035b888a7a3de6035ac272e (Amadey Bot)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.