SmokeLoader malware used to distribute Amadey info-stealer

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


A new version of the Amadey Bot information stealing malware is being distributed via the SmokeLoader malware, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a new report.

First observed four years ago, Amadey Bot is capable of stealing information and installing additional malware by receiving commands from the attacker. Amadey Bot has been sold in illegal forums and used by various attackers. Amadey was observed in campaigns installing ransomware (GandCrab) or the FlawedAmmyy malware (the TA505 group that is linked to the Clop ransomware). Amadey was also seen in attacks involving the Fallout and the Rig exploit kits.

Now, the researchers say, they discovered a new version of Amadey which is being distributed using another malware, SmokeLoader, masqueraded as software cracks or key generators.

SmokeLoader, which provides various additional features related to info-stealing as plug-ins, is normally used as a downloader for installing additional malware.

Once executed, it injects “Main Bot” into the currently running (explorer.exe) process, so the OS trusts it and downloads Amadey on the system.

Upon execution, Amadey copies itself to a Temp folder named “bguuwe.exe” and then registers the folder where it exists as a startup folder to allow itself to be run after reboot. It also provides a feature to register itself to Task Scheduler to maintain persistence.

The next step is to establish command and control communication with attackers. Once it is done, the malware downloads the cred.dll plug-in to collect user environment information, sends the collected data to the C&C servers and installs additional malware, in this case, the RedLine info-stealer. The latter collects basic information such as computer name and user name, as well as a list of installed anti-malware products, and sends it to the C&C server.

The latest Amadey version (3.21) can discover 14 anti-virus products, the researchers said.

“Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. Once the malware is installed, it can stay in the system to steal user information and download additional payloads. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance,” AhnLab advised.

Adblock test (Why?)