First discovered in 2018, the Amadey Bot malware strain is capable of performing system reconnaissance, information theft, and payload deployment. While the malware has seen limited use since 2020, researchers have recently reported that a new version has entered circulation.
Amaday bot malware
In its latest version, number 3.21, Amadey can identify 14 different antivirus products and is presumed capable of then fetching payloads that evade antivirus programs. It is supported by the SmokeLoader malware – an older malware that remains as an infamous component of hackers’ toolkits.
New Amadey campaign
SmokeLoader is unintentionally downloaded and executed by victims. It’s masked as a software crack or keygen. Because software cracks and key generators commonly trigger antivirus warnings, and because users are often in a hurry to download what they want or need, when prompted, users tend to disable antivirus programs (or whitelist the malware), playing into hackers’ hands. This makes SmokeLoader an ideal means of malware deployment.
To execute, this malware injects “Main Bot” into the currently running process. Main Bot manipulates the OS into trusting it and allowing for the download of Amadey onto the system.
However, once Amadey starts to execute, the malware copies itself to a TEMP folder. It then creates a scheduled task to maintain persistence using a specific command. Afterwards, Amadey establishes C2 communication and sends a system profile to the threat actor’s server.
Further Amadey details
Amadey malware is available for sale in underground web forums. Previously, it was used by cyber crime groups to install GandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT).
Amaday is capable of targeting the following software: Mikrotik Router Management Program Winbox, Outlook, FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, and WinSCP.
How to avoid Amadey malware
Consider fighting this malware on several fronts.
- Ensure that your organization retains strong email security
- Prioritize endpoint security
- Apply the latest patches for OS
- Apply the latest patches for internet browsers
- Update V3 to the latest version to prevent malware infections
- Leverage privileged access management to prevent Amadey from circumventing antivirus programs
As noted previously, Amaday malware effectively hides from antivirus programs, making antivirus more of a liability than an asset. In turn, organizations need to apply sophisticated and multi-dimensional means of preventing and detecting malicious behavior.
Malware is still extremely inexpensive for hackers, which is why many hackers continue to pursue it. More than 75% of listed malware advertisements and over 90% of malware exploits sell for less than $10.00 USD.
Malware-as-a-Service software kits are providing cyber criminals with easy ways to gain a foothold in organizations’ ecosystems. Although malware deployment once required serious skills, knowledge and resources, modern malware deployment is simple and it’s less expensive than a soda and a sandwich.
Looking for more on malware? Get 10 eye-opening mobile malware statistics here. Or read about malware trends from the perspective of a cyber security researcher, here. For more on this story, click here. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.