A dangerous malware variant called “Amadey Bot” that has been largely dormant for the past two years has surfaced again with new features that make it stealthier, more persistent, and much more dangerous than previous versions — including antivirus bypasses.
Amadey Bot first appeared in 2018 and is primarily designed to steal data from infected systems. However, various threat actors — such as Russia’s infamous TA505 advanced persistent threat (APT) group — have also used it to distribute other malicious payloads, including GandCrab ransomware and the FlawedAmmy remote access Trojan (RAT), making it a threat for enterprise organizations.
Previously, threat actors used the Fallout and RIG exploit kits, as well as the AZORult infostealer, to distribute Amadey. But researchers at South Korea’s AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least 2011.
Smoke & Mirrors
Researchers at AhnLab found that the operators of the new Amadey variant have disguised SmokeLoader in software cracks and fake keys for commercial software that people often use to try and activate pirated software. When users download the malware assuming it is a cracked (pirated) version or a key generator, SmokeLoader injects its malicious payload into the currently running Windows Explorer process (explorer.exe) and then proceeds to download Amadey on the infected system, the researchers at AhnLab discovered.
Once the malware is executed, Amadey lodges itself in the TEMP folder as a startup folder, ensuring the malware will persist even after a system reboot. As an additional persistence measure, Amadey also registers itself as a scheduled task in Task Scheduler, according to AhnLab.
After the malware completes its initial setup processes, it contacts a remote, attacker-controlled command-and-control server (C2) and downloads a plug-in to collect environment information. This includes details such as the computer and username, operating system information, a list of applications on the system, and a list of all anti-malware tools on it.
The sample of the new Amadey variant that researchers at AhnLab analyzed was also designed to take periodic screenshots of the current screen and send them back in a .JPG format to the attacker controlled C2 server.
Bypassing AV Protections
AhnLab found that the malware is configured to look for and bypass antivirus tools from 14 vendors, including Avast, Avira, BitDefender, Kaspersky, Sophos, and Microsoft’s Windows Defender.
“The new and improved version of the malware flaunts even more features compared to its predecessor,” security vendor Heimdal said in a blog post. This includes features “such as scheduled tasks for persistence, advanced reconnaissance, UAC bypassing, and defense evasion strategies tailored for 14 known antivirus products,” it noted.
Once Amadey relays system information to the C2 server, the threat actor knows exactly how to bypass protection for the specific AV tools that might be present on the system. “On top of that, once Amadey gets ahold of your AV’s profile, all future payloads or DLLs will be executed with elevated privileges,” Heimdal warned in the blog post.
A More Dangerous Version of Amadey
The information that Amadey relays to the C2 server allows the attackers to take a variety of follow-up actions, including installing additional malware. The sample that AhnLab analyzed, for instance, downloaded a plug-in for stealing Outlook emails and information about FTPs and VPN clients on the infected system.
It also installs an additional information stealer called RedLine on the victim system. RedLine is a prolific information stealer that first surfaced in 2020 and has been distributed via various mechanisms, including COVID-19 themed phishing emails, fake Google ads and in targeted campaigns. Researchers from Qualys recently observed the malware being distributed via fake cracked software on Discord.
Researchers from BlackBerry Cylance who analyzed the earlier version of Amadey determined at the time that the malware does not install any additional payloads if it assesses the victim to be in Russia.