Search
  • Mark van Vuuren

Amadey Bot and SmokeLoader Malware

Back after a sabattical, craftier than before


After a four-year sabbatical, the infamous Amadey Bot malware has returned with even more crafty tricks up its sleeve, says Vladimir Unterfingher in a recent Heimdal Security Blog.

According to Unterfingher, the malware was recently detected in the wild by a team of Korean security researchers. The new and improved version of the malware flaunts even more features compared to its predecessor such as scheduled tasks for persistence, advanced reconnaissance, UAC bypassing, and defense evasion strategies tailored for 14 known antivirus products. Research shows that Amadey piggybacks on SmokeLoader which lures in users with keygens and software cracks.

SmokeLoader Entices Users with Illicit Software

AhnLab’s cybersecurity researchers have identified a new version of the Amadey Bot malware after a four-year hiatus. The latest iteration of Amadey ditches Rig exploit kits and Fallout for more efficient recon, penetration, and C2 features. According to the research team, SmokeLoader, the malware in charge of deploying Amadey on the victim’s machine, lands on the device with the user’s permission. In this case, the malware’s creators will lure in the users by disguising SmokeLoader into a keygen or a software crack.

And since online piracy will never go out of fashion, tricking the user into executing the package is easy. Many of these cracks trigger AV warnings, which, in turn, prompt the user into deactivating the AV or whitelisting the executable. The malware’s creators took advantage of this psychological cue and crafted an executable that would fool just about any AV engine. So, what happens after the user executes the malicious package? First of all, the application for which the crack was created would crash or would simply not launch. Second, SmokeLoader would inject its bot into the explorer.exe process, thus rubberstamping Amadey’s deployment.

This is where the ‘fun’ begins’ – once SmokeLoader finishes deploying and executing Amadey, the bot will lodge itself in the TEMP folder and spawn several scheduled tasks using CMD. After that, Amadey will contact the hacker-held server (i.e., C2) and hand-deliver some very useful, host-related information (e.g., Operating System, architecture, list of vulnerable apps, or running AV/AM solutions, etc.).

At this point, the attacker is free to perform any number of actions on the victim’s machine such as deploying additional tools for recon or installing info-stealing add-ons. One interesting aspect about the Amadey bot is its ability to use antivirus profiles. In essence, the malware’s creators have hardcoded numerous AV profiles (i.e., 14, to be precise) into Amadey. So, once Amadey starts chatting with the C2 server, the threat actor will know exactly how to bypass protection. On top of that, once Amadey gets ahold of your AV’s profile, all future payloads or DLLs will be executed with elevated privileges.

How Can Heimdal™ Help

We acknowledge the fact that downloading illegal content is alluring and that, most of the time, it’s fueled by the publisher’s price-making policy. Heimdal™ does not condone this type of activity and advises all its users and readers against downloading and using pirated software. The same goes for software designed to bypass developer-enforced protection. So, go on and pay that subscription or the full price – it’s only a win-win situation, but it will also save you from a world of hurt.

As for protection, our recommendation steers towards a blend that will help you fight on several fronts at the same time. Heimdal™ Threat Prevention – Endpoint will immediately sever any type of C2 communication, Next-Gen Antivirus & MDM clears any malicious files that may have landed on your machine, while Privileged Access Management will ensure that no file or process or executable acquires elevated rights without reason. Try them out today!

If you liked this article, follow Heimdal on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

12 views0 comments