A new and improved Amadey malware is spread via the SmokeLoader campaign through key generator sites and software cracks as baits. Amadey is a malware discovered in 2018, and it can perform system reconnaissance, load additional payloads, and steal information.
Recent reports suggest that a new version of Amadey malware has resurfaced through the SmokeLoader campaigns. Researchers claimed that this reemergence of the malware relied heavily on Rig exploit and Fallout tools, which have been out of trend as they targeted old flaws.
The SmokeLoader is downloaded and run voluntarily by unaware victims since it disguised itself as a key generator or software crack. As it is standard for cracks and keygens to activate antivirus alarms, it is common for users to deactivate antivirus solutions before executing malicious programs. This method has become an attractive vector for spreading malware.
Upon initiating, the payload injects the main bot into the ongoing process called explorer[.]exe. Therefore, the operating system trusts the payload and downloads the Amadey malware on the system.
Amadey malware will hide in a TEMP folder after infection.
Once Amadey is retrieved and run, it will duplicate itself to a TEMP folder under a file called bguuwe[.]exe and develops a scheduled task to establish persistence via cmd[.]exe command.
Subsequently, Amadey will establish a command-and-control communication and delivers a system profile to the adversary’s server like the operation system server, list of installed antiviruses, and architecture type.
In the latest variant of Amadey, it can identify at least 14 AV products and fetch payloads that can bypass those identified solutions.
In addition, the server can respond with guides on downloading more plugins in the form of DLLs and copies of additional information stealers, especially RedLine. The payloads are then retrieved and installed by the malware with UAC bypassing and privilege escalation tools.
The Amadey malware also utilises a program called FXSUNATD[.]exe for this instance and operates elevation escalation processes in the administrator through DLL hijacking. The corresponding exclusions on Windows Defender are also added by the malware using PowerShell before downloading the payloads.
Furthermore, Amadey can take screenshots from time to time and saves them in the TEMP folder to be sent to the command-and-control server along with the subsequent POST request.
Experts suggest that users should be more cautious about downloading cracked files, software activators or inauthentic keygens that offer free access to premium products to avoid getting infected with RedLine and Amadey bot.
