Nitol DDoS Malware Installing Amadey Bot

The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.

Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on the infected systems.[1] Additionally, in the second half of this year, Amadey was used in attacks involving LockBit 3.0, which targeted Korean corporate users. Amadey was distributed as attachments to spam emails and was responsible for installing LockBit Ransomware.[2]

While monitoring the actively distributed Amadey Bot, the ASEC analysis team found the Nitol DDoS Bot malware installing Amadey. Nitol is a DDoS Bot with a Denial of Service (DDoS) attack feature, and while its numbers have decreased recently, it is a malware that has been steadily used in attacks since long ago. For example, in 2021, there was a history of it being uploaded to a Korean forum archive, infecting many Korean users.[3]

Figure 1. The malware distribution posts that were uploaded on a Korean program-sharing website

Nitol Malware that installed Amadey is the same file as the malware covered in the above blog post. This tells us that even after over a year, it is still being used in attacks up until now. This file is being shared via torrent, disguised as cracks for Hancom and MS Office, and it is infecting many users even at the current moment. The following are the names of paths where Nitol was detected.

\Hancom 2020\crack.exe
\[Official Korean Version] Office 2007\setup.exe
\microsoft office 2016\setup.exe
\SketchUp Pro 2018\crack.exe

Nitol Malware Analysis

Nitol used in the attacks was packed with Themida to hinder analysis. Nitol is a DDoS Bot that supports various forms of DDoS attacks, and the one used in the attacks has 0x50 for its settings data. When it communicates with C&C servers, it stands by for 5 seconds and sets the system’s hidden files and folders to be invisible. The following is the settings data for Nitol.

Bit SettingsFeature
0x01Exclude installation process
0x02Auto-delete
0x04Check virtual environment
0x08Check sandbox environment
0x10Sleep (5 seconds)
0x20Generate dummy packet
0x40System configuration (does not display hidden files)
0x80Assign hidden properties to the malware
Table 1. Nitol settings data

The virtual environment check uses the IN command to check whether it is running on a VMware virtual machine. As for sandbox environments, it checks whether the “api_log.dll” and “SbieDll.dll” DLLs are loaded. If it confirms that it’s in a virtual or sandbox environment, Nitol is shut down.

The dummy packet-generating option creates a random IP address and attempts to connect by matching the port number of an actual C&C address. When this process is successful, dummy data is transmitted. These behaviors are repeated 10 times, and it is likely that this is for the purpose of hindering network behavior analysis.

As the option that excludes the installation process is not activated in this malware, an installation process runs when the malware is executed. The installation process includes a self-copying stage where the malware copies itself under a random 6-character name in %APPDATA%, and a persistence maintaining stage where it uses the reg command to register itself to the Run key. When the installation process is complete, it executes the malware in the copied path and connects to the C&C server.

> “C:\Windows\System32\reg.exe” ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “My App” /t REG_SZ /F /D “C:\Users\vmuser\AppData\Roaming\gkqske.exe”

Currently, access to the C&C server is unavailable, but once the connection is successfully established, the malware transmits basic information about the infected system, as shown below.

OffsetData
+0x00000x00000001
+0x0004Language and country information (Locale)
+0x0044Computer name
+0x00C4Windows version
+0x0104RAM size (GB)
+0x0124CPU performance (MHz)
+0x0144“Client”
Table 2. Information about the infected system to be sent to the C&C server
Figure 2. Past packet captured

When Nitol sends the infected system’s information to the C&C server, the server returns the command. The command can perform various functions including DDoS attacks, downloading files, and running updates. For reference, DDoS attacks were divided into three categories below, but the malware supports many more types of DDoS attacks.

Figure 3. User-Agent used in DDoS attacks
CommandFeature
0x0002DDoS Attack #1
0x0003DDoS Attack #2
0x0004DDoS Attack #3
0x0005Stop DDoS attack
0x0006Auto-delete
0x0010Download and run payload (SW_HIDE)
0x0011Download and run payload (SW_SHOW)
0x0012Update
0x0013Web page access via Internet Explorer (Hidden)
0x0014Web page access via Internet Explorer (IE popup)
0x0016Destroy MBR
Table 3. Commands that can be performed by Nitol

Out of the commands, there is one that receives a URL from the C&C server and connects to the corresponding web page using Internet Explorer. The command can be configured to access the web page unknown to the user or have Internet Explorer pop up to have users be aware.

Figure 4. Accessing web page using IE

Additionally, there is also a command that changes MBR to incapacitate the system after a reboot. When the system is restarted after the following data is written on MBR, it shows the string “Game Over” as shown below and makes the system unable to reboot.

Figure 5. MBR destruction routine
Figure 6. After rebooting

Nitol supports a command that downloads additional payloads, and this command was used to install Amadey Bot. The following are ASD (AhnLab Smart Defense) infrastructure logs that show Nitol having downloaded Amadey from an external address.

Figure 7. Nitol installing Amadey Bot

Installing Additional Payloads Using Amadey (Amadey Bot, njRAT)

After being installed by Nitol, Amadey Bot attempts to connect to C&C servers. When this process is successful, Amadey downloads a plugin responsible for extorting information to collect information from the infected system and send them to the C&C server. Besides account credentials, Amadey also takes periodic screenshots and sends them to the C&C server. The following blog post goes into a detailed analysis of Amadey.

Figure 8. Amadey’s network traffic

An examination of the current version of Amadey shows that it receives a command from the C&C server to install additional payloads, and accordingly, it downloads and installs a total of 4 files. These files are Amadey, Nitol, and a downloader, The Nitol mentioned above is Type A, but Amadey also installs Nitol Type B.

  • TeamViewerSetupx64.exe : Amadey
  • TeamViewer_Desktop.exe : Nitol Type A
  • explorer.exe : Nitol Type B
  • ServiceManager.exe : Downloader (Dotnet Packer)

The top-level list of the addresses where the malware are downloaded from is unavailable, but it can be assumed that there are various other malware strains aside from those mentioned.

Figure 9. Download page

The malware installed by the threat actor mimic original programs, with names such as TeamViewer, Explorer, and AnyDesk. The threat actor not only disguises the filename but also the icons to resemble the original programs when distributing the malware.

Figure 10. Icons of malware used in attacks

Torrent is the main platform used in malware propagation alongside file-sharing sites. When installing cracks or keygen files of commercial software using torrents, there is a risk of being infected with malware disguised as these programs. When Nitol is installed, the user PC acts as a DDoS Bot and can be used in DDoS attacks. In addition, it can also be used for installing additional malware such as Amadey. As for Amadey, it stays in the infected system to not only extort user credentials but also install additional malware.

Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.

File Detection
– Backdoor/Win.Nitol.C4533062 (2021.06.24.01)
– Trojan/Win.Generic.R539958 (2022.12.09.01)
– Downloader/Win.Amadey.C5329944 (2022.12.12.01)
– Downloader/Win.MSIL.C5329945 (2022.12.12.01)
– Downloader/Win.Amadey.C5329946 (2022.12.12.01)

Behavior Detection
– Malware/MDP.Behavior.M3108

MD5
– 3038c7bb0f593df3f52f0644c894c7ba : Nitol Type A
– d332cf184ac8335d2c3581a48ee0ad87 : Amadey (AnyDesk.exe)
– 852011cf885e76c0441dd52fdd280db7 : Amadey (TeamViewerSetupx64.exe)
– 0c9df67f152a727b0832aa4e7f079a71 : Nitol Type A (TeamViewer_Desktop.exe)
– e79b48eefa43aa34f360f68618992236 : Nitol Type B (explorer.exe)
– f01b49498b82320973c6006ee117f91e : Dotnet Downloader (ServiceManager.exe)

C&C URL
– rlarnjsdud0502.kro.kr:2222 : Nitol Type A
– hxxp://AQWe9sfiWSwPyVMJ[.]xyz/jg94cVd30f/index.php : Amadey
– hxxp://PMVqdJfUf3WlX9kI[.]xyz/jg94cVd30f/index.php : Amadey
– hxxp://SmgqNt3EIxXkSAsU[.]xyz/jg94cVd30f/index.php : Amadey
– 45.89.255[.]250:50505 : Nitol Type A
– gy9.gyddos[.]com:8889 : Nitol Type B
– 45.89.255[.]250:40404 : Nitol Type B
– 45.89.255[.]250:30303 : Downloader (Dotnet Packer)

Download URL
– hxxp://45.89.255[.]250:8080/AnyDesk.exe : Amadey
– hxxp://45.89.255[.]250:8080/TeamViewer_Desktop.exe : Nitol Type A
– hxxp://45.89.255[.]250:8080/explorer.exe : Nitol Type B
– hxxp://45.89.255[.]250:8080/TeamViewerSetupx64.exe : Amadey
– hxxp://45.89.255[.]250:8080/ServiceManager.exe : Downloader (Dotnet Packer)
– hxxp://45.89.255[.]250:8080/Kwvwz.png : Dotnet Downloader

Reference
[1] [ASEC Blog] Amadey Bot Being Distributed Through SmokeLoader
[2] [ASEC Blog] LockBit 3.0 Being Distributed via Amadey Bot
[3] [ASEC Blog] Nitol Malware Being Distributed in Forum Archive


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,,,

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments