Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed

On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email.

The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program, which prompts ordinary users to launch it.

Figure 1. (Left) The icon used for the malware / (Right) The actual messenger program icon
Figure 2. Operation flow

Upon initial execution of the kakaotalk_update.exe malware which is seen to have been attached to emails, it runs recursion on the process and injects itself into the process. The injected process connects to the C2 server and downloads a zip file with additional compressed malware to a shared folder path, before executing the following command.

  • cmd.exe /c rundll32.exe “C:\users\public\srms.dat” Run
  • cmd.exe /C timeout /t 5 /nobreak & Del /f /q “C:\Users\[Username]\Desktop\kakaotalk_update.exe”

The downloaded and executed file with the name of “srms.dat” is a dropper (See Figure 3) that creates a DLL that behaves as the AmadeyBot malware.

Figure 3. Dropper contained in the compressed file
Figure 4. Properties of the folder where the Amadey Bot is dropped
Figure 5. The dropped Amadey Bot DLL

Afterward, using rundll32.exe, it creates and runs the AmadeyBot with the filename “tapi32.dll” as shown below, then deletes itself.

  • rundll32.exe “C:\users\public\348520\tapi32.dll”,Run
  • rundll32.exe “C:\users\public\348520\tapi32.dll”,Start
  • cmd.exe /C timeout /t 5 /nobreak & Del /f /q “C:\users\public\srms.dat”
Figure 6. Amadey Bot

As shown in Figure 7, the executed Amadey Bot transmits information from the user PC including the infected system’s ID, Amadey version, admin privilege status, architecture, Windows version, PC name, and username to the C2 server.

Figure 7. Information transmitted to the C2 server
Figure 8. Amadey C2 panel login screen

Detailed analysis on the Amadey Bot malware can be found in the following ASEC blog posts.

  • Amadey Bot Being Distributed Through SmokeLoader (Link)
  • [Warning] ‘Amadey’ Malware Targeting Korean Cryptocurrency Companies (Link)

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Downloader/Win.Amadey.R5282269 (2022.10.17.03)
– Trojan/Win.Amadey.C5282244 (2022.10.17.03)
– Dropper/Win.Amadey.C5282248 (2022.10.17.03)

[IOC]

MD5
– 0184b0f6403420f7134a3e4a37498754 (Initial downloader)
– 00a7588c41c5a1183f098901d30df09a (Additional dropper)
– ccd5a8f11035b888a7a3de6035ac272e (Amadey Bot)

[C&C Server]
– hxxps://office-download3791[.]com/list.php
– hxxps://rs-shop7301[.]com/index.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Subscribe
Notify of
guest

8 Comments
Inline Feedbacks
View all comments
trackback

[…] Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed […]

trackback

[…] last month, ASEC also found the malware distributed under the disguise of KakaoTalk, an instant messaging service popular in […]

trackback

[…] last month, ASEC also found the malware distributed under the disguise of KakaoTalk, an instant messaging service popular in […]

trackback

[…] final month, ASEC additionally discovered the malware distributed beneath the disguise of KakaoTalk, an immediate messaging service in style […]

trackback

[…] final month, ASEC additionally discovered the malware distributed underneath the disguise of KakaoTalk, an immediate messaging service […]

trackback

[…] final month, ASEC additionally discovered the malware distributed beneath the disguise of KakaoTalk, an immediate messaging service standard […]

trackback

[…] last month, ASEC also found the malware distributed under the disguise of KakaoTalk, an instant messaging service popular in […]

trackback

[…] last month, ASEC also found the malware distributed under the disguise of KakaoTalk, an instant messaging service popular in […]