Threat Spotlight: Amadey Bot Targets Non-Russian Users
Amadey is a simple Trojan bot first discovered in October of 2018. It is primarily used for collecting information on a victim’s environment, though it can also deliver other malware.
A major infection vector for Amadey are exploit kits such as RigEK and Fallout EK. During our monitoring, we also observed this Trojan being delivered via AZORult Infostealer on February 23rd to March 1st, and April 18th to June 5th. The sample hash values were not changed frequently. Recently, TA505 used Amadey for their campaign in April 2019.
This technical blog reveals the detailed behavior of Amadey and examines its AZORult campaign. It focuses on the latest sample (DE8A40568834EAF2F84A352D91D4EA1BB3081407867B12F33358ABD262DC7182) which was actively spread for about a month.
Amadey possesses decode logic as seen in Figure 1. It obfuscates strings like domain name, dll file names, API names, antivirus (AV) vendor names, and so on. For example, “94 D6 CD CF 99 DA AD 92 CF CD 98 D7 96 AA A1 D6 AA A1 D6 94 C6 A6 CF” (embedded in this malware file) decodes to the command and control (C2) domain name: ashleywalkerfuns[.]com.
Figure 1: Amadey’s decode routine
When run, Amadey looks for antivirus products installed on the victim machine (see Table 1). Next, it copies itself to “C:ProgramData44b36f0e13” as “vnren.exe” and then executes that file before terminating the original process. The “ProgramData” subfolder name is hardcoded in the binary and it can vary from sample to sample:
Table 1: AV product names and codes
If Amadey finds Norton (0xA) or Sophos (0xB) AV software installed on the victim machine, it does not drop itself under the %PROGRAMDATA% directory (see Figure 2):
Figure 2: Amadey does not drop itself if it finds Norton or Sophos
For persistence, Amadey changes the Startup folder to the one containing “vnren.exe”. It overwrites the registry keys to change the Startup folder, as shown in Figure 3:
Figure 3: Amadey overwrites the Startup folder for its persistence
It also checks for installed antivirus products. If it finds 360TotalSecurity, as shown in Figure 4, it does not overwrite the registry key:
Figure 4: Amadey does not establish its persistence when it finds 360 Total Security
Table 2 shows the parameters and their values which Amadey uses for its POST requests:
Identification. Computed based on Volume Serial Number.
Amadey version (1.09 for these samples)
If victim user has administrative privilege, the value is 1. Otherwise, it is 0.
“1” for 64 bit. “0” for 32 bit.
Install additional malware if the value is 0.
OS version. (e.g., Windows 7 is 9).
If there is no antivirus product, it is 0. Otherwise, it is assigned to a number in Table 1.
Computer name from GetComputerNameA
User name from GetUserNameA
Table 2: POST parameters of Amadey
Amadey sends the parameters in plaintext to the C2 servers every 60 seconds (see Figure 5):
Figure 5: Request example
The C2 server returns a list of URLs to remote malware files. Amadey downloads and runs the remote files to further infect the host machine with additional malware (see Figure 6):
Figure 6: Response example
During our investigation, we found the following login page shown by the C2 server (see Figure 7):
Figure 7: A live Amadey C2 login page
Amadey C2 Tool
- Statistical information of victim machines (Figure 8)
- A list of infected machines (Figure 9)
- Task management of additional malware installation (Figure 10)
◦ The C2 tool will not run any tasks or install any additional malware if the victim machine is in Russia (Figure 11):
Figure 8: Statistics information
Figure 9: All victim information
Figure 10: Task creation
Figure 11: The C2 tool will not run any tasks against victims in Russia
(NOTE: Some lines of code are removed)
Amadey Campaign via AZORult
In 2019, BlackBerry Cylance discovered two Amadey campaigns involving AZORult Infostealer. The first ran between February 23rd to March 1st (Table 3), the second from April 18th and June 5th (Table 4). We suspect these campaigns were led by the same attacker based on following profile:
- All of them used the same version (v1.09)
- Remote files names start with “ama”
- All of them included Amadey dropping itself as “vnren.exe”
Feb. 23 2019 – Feb. 24 2019
Feb. 25 2019 – Mar. 1 2019
Table 3: Amadey campaign from otsosukadzima[.]com (an AZORult C2 server)
Apr. 18 2019
Apr. 18 2019 – Apr. 20 2019
Apr. 25 2019 – May. 21 2019, May. 28 2019 – Jun. 5 2019
Table 4: Amadey campaign from kadzimagenius[.]com (an AZORult C2 server)
Amadey is a new bot family spread by AZORult infostealer. The source code analysis of its C2 tool revealed that it does not download additional malware if victims are in Russia.
BlackBerry Cylance uses artificial intelligence-based agents trained for threat detection on millions of both safe and unsafe files. Our automated security agents block Amadey based on countless file attributes and malicious behaviors instead of relying on a specific file signature. BlackBerry Cylance, which offers a predictive advantage over zero-day threats, is trained on and effective against both new and legacy cyberattacks.
If you are a BlackBerry Cylance customer using CylancePROTECT®, you are protected from Amadey by our machine learning models.
For more information visit https://www.cylance.com.
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Masaki Kasuya. Read the original post at: https://threatvector.cylance.com/en_us/home/threat-spotlight-amadey-bot.html