Amadey Malware Loader and Infostealer

Amadey: Trojan Bot and Malware Loader Operating Within a Botnet Infrastructure

Amadey is a Windows-based trojan bot that serves as both a malware loader and infostealer, facilitating the deployment of secondary threats and the collection of system data. First identified in 2018, Amadey has been utilized in various cybercriminal campaigns, often distributed via phishing emails, exploit kits, or other malware like Smoke Loader. It establishes a botnet by connecting infected machines to a command-and-control (C2) server, allowing attackers to manage and update the malware remotely .

Introduction to Amadey

Amadey operates by infiltrating Windows systems and performing reconnaissance to collect information such as OS version, installed applications, and antivirus software. It then communicates with a C2 server to receive instructions, which may include downloading and executing additional malware payloads. The malware's modular design allows for the integration of plugins to extend its capabilities, making it a versatile tool in the cybercriminal arsenal .

---

1. How Amadey Works

Infection Mechanism:

Amadey is typically distributed through:

• Phishing emails containing malicious attachments or links.
• Exploit kits like RigEK and Fallout EK.
• Other malware loaders, notably Smoke Loader.

Payload Execution:

Upon execution, Amadey:

• Collects system information, including OS details, installed software, and security products.
• Establishes persistence through registry modifications and scheduled tasks.
• Communicates with a C2 server to receive commands.
• Downloads and executes additional malware payloads as instructed.

---

2. History and Notable Campaigns

Origin and Discovery:

Amadey was first observed in October 2018, sold on Russian-speaking underground forums for approximately $500.

Notable Campaigns:

• Utilized in campaigns distributing RedLine Stealer, LummaC2, and STOP/Djvu ransomware.
• Employed by affiliates of the LockBit ransomware group.
• Distributed via phishing sites masquerading as game cheat providers.

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individuals and small businesses, particularly those with inadequate cybersecurity measures.
• Users downloading pirated software or visiting malicious websites.

Consequences:

• Data theft, including credentials and system information.
• Deployment of secondary malware, such as ransomware or additional trojans.
• Inclusion in a botnet, enabling remote control and coordination of infected machines.

---

4. Technical Details

Payload Capabilities:

• System reconnaissance and data exfiltration.
• Execution of additional malware payloads.
• Integration of plugins for extended functionality.

Evasion Techniques:

• Use of obfuscation and packing to avoid detection.
• Deployment of anti-sandbox techniques to hinder analysis .
• Regular updates to modify behavior and evade signature-based detection.

---

5. Preventing Amadey Infections

Best Practices:

• Avoid opening attachments or clicking links from unknown sources.
• Keep operating systems and software up to date with the latest security patches.
• Utilize reputable antivirus and endpoint protection solutions.
• Implement network monitoring to detect unusual outbound traffic.

Recommended Security Tools:

• Endpoint Detection and Response (EDR) solutions with behavioral analysis capabilities.
• Email security gateways to filter phishing attempts.
• Network intrusion detection systems (NIDS) to monitor for malicious activity.

---

6. Detecting and Removing Amadey

Indicators of Compromise (IoCs):

• Presence of unknown executables in %AppData% or %Temp% directories.
• Registry keys added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
• Unusual outbound connections to known malicious IP addresses or domains.

Removal Steps:

1. Isolate the infected system from the network.
2. Use updated antivirus or EDR tools to scan and remove the malware.
3. Manually inspect and clean registry entries and scheduled tasks related to Amadey.
4. Change all passwords and monitor accounts for unauthorized activity.

Professional Help:

For extensive infections or if secondary malware has been deployed, consult cybersecurity professionals for thorough remediation.

---

7. Response to an Amadey Infection

Immediate Steps:

• Disconnect the affected machine from the network.
• Conduct a full system scan using reputable security software.
• Notify relevant stakeholders and, if necessary, regulatory bodies.
• Implement measures to prevent future infections, such as user training and improved security protocols.

---

8. Legal and Ethical Implications

Legal Considerations:

Infections involving Amadey may necessitate reporting under data protection regulations like GDPR, HIPAA, or CCPA, especially if personal data has been compromised.

Ethical Considerations:

The use of Amadey in cyberattacks underscores the ethical issues surrounding the development and distribution of malware, highlighting the need for responsible cybersecurity practices and international cooperation to combat cybercrime.

---

9. Resources and References

• Check Point: What is the Amadey Botnet?
• SonicWall: Amadey Malware Has Improved Its String Decoding Algorithm
• Cyble: The Rise of Amadey Bot
• McAfee: Deconstructing Amadey's Latest Multi-Stage Attack
• MITRE ATT&CK Techniques:
  • S1025 (Amadey)
  • T1055 (Process Injection)
  • T1059 (Command and Scripting Interpreter)
  • T1204.002 (User Execution: Malicious File)
  • T1041 (Exfiltration Over C2)

---

10. FAQs about Amadey

Q: What is Amadey malware?

A: Amadey is a Windows-based trojan bot that functions as a malware loader and infostealer, often used to deploy additional malware and collect system information.

Q: How does Amadey spread?

A: It spreads through phishing emails, exploit kits, and other malware loaders like Smoke Loader.

Q: Is Amadey still active?

A: Yes, Amadey remains active and continues to be used in various cybercriminal campaigns.

Q: What types of malware does Amadey deploy?

A: It has been observed deploying malware such as RedLine Stealer, LummaC2, and STOP/Djvu ransomware.

---

11. Conclusion

Amadey is a key component in many modern malware campaigns, offering threat actors a lightweight, versatile tool for reconnaissance and payload delivery. Its simple structure, plugin support, and commercial availability make it a favored option for launching multi-stage attacks with minimal overhead. As it continues to evolve, Amadey highlights the need for layered defenses and vigilant user awareness.

 

 

« Back to the Virus Information Library

« Back to the Security Center