New warnings have been released concerning the threat of Amadey malware being used to deploy the LockBit 3.0 ransomware on compromised machines. In a recent report, analysts stated that the Amadey malware operators distribute it through a malicious Word file and an executable disguising it as a Word file icon.
Researchers have initially spotted the Amadey malware being sold on dark web marketplaces for around $600 and were introduced as a criminal-to-criminal (C2C) botnet infostealer in 2018.
As its authors describe, the Amadey malware harvests sensitive data from its infected hosts and acts as a channel to deploy next-stage payloads to a compromised computer.
Last July, security experts found that the malware had been propagated using SmokeLoader. Additionally, in October, a separate security group spotted the malware being spread toward victims by impersonating the popular instant messaging app ‘KakaoTalk’ in a phishing operation.
The latest Amadey malware analysis was based on an uploaded MS Word file in VirusTotal named ‘심시아[.]docx,’ wherein it contained a malicious VBA macro that runs a PowerShell command once the victim enables it, ensuing to the launch of Amadey.
Aside from the initial analysis, the researchers also discovered that its operators have disguised the malware as a file with an MS Word icon that, if opened, would run an executable named ‘Resume[.]exe.’ This attack chain is usually spread through phishing campaigns, although the malicious email that carried the executable has yet to be found.
After Amadey is launched in a computer, it will begin fetching and deploying additional activities sent by the threat operators’ C2 server, including launching the LockBit 3.0 through PowerShell or binary formats.
First spotted in June 2022, the LockBit ransomware version 3.0 or LockBit Black is a ransomware-as-a-service (RaaS) payload tagged as one of the most used ransomware in 2022. Its initial launch also included a new dark web portal and a bug bounty program with rewards reaching $1 million for those who find bugs in its software and website.
The association of Amadey and LockBit prompts security experts to express concern, advising users to stay vigilant.
