Amadey Bot distributed in SmokeyLoader campaign via cracked software

A new version of Amadey malware pushed using cracks and keygen sites to lure people

New Amadey malware campaignsUsers install bundles with info-stealer when getting cracking and key generation tools from the web

Cybercriminals use SmokerLoader malware to install the Amadey Bot malware on devices. Victims get lured into downloading information-stealing malware when threat actors attract them using keygens and software cracks.[1] Researchers report that the threat now is distributed in the pack with SmokeLoader and hides in software cracks and serial-key-generation software in various sites distributing such files and packages.[2]

Amadey is the information stealer that installs additional malware and gets commands from the attacker to perform additional activities or deploy infections or steal particular data directly. It was discovered years ago, and it can perform system reconnaissance on top of all those other functions. It was not very active after 2020, but the recent reports show that the improved versions are circulating using the support of the equally old and still very active malware SmokeLoader.

Amadey typically relied on the Rig exploit kits, but those have retired due to major vulnerabilities and success rates. SmokeLoader is the tool that provides attackers with features related to these plugins and information-gathering.[3] Once it is launched, it injects Main Bot into the running explorer process and operates inside the process running all the malicious operations.

The malware hides in older and can run after each reboot

Amadey starts communicating with the C&C server[4] from the start of the infection, so operators can provide information and receive details on the computer name, usernames, OS version, and other details about the antivirus tools and malware. The threat also injects copies of the payload in temp folders and alters registry and startup folders to allow processes to be launched after reboots.

Once the malware is installed, it can stay in the system to steal user information and download additional payloads.

Malware creators can work with the information gotten about the affected device and instruct the malware to download plugins, copies of the payload, and other information-stealing software. The Bot is targeting emails, FTPs, VPN clients, and similar software where data obtained can be valuable later on.[5]

The new Amadey malware campaign

Unfortunately, the SmokeLoader malware is downloaded by the victim voluntarily. It is masked as a software crack or a keygen and gets executed by the users themselves. It is common to crack various software and download these files, but such a key generator can trigger antivirus alerts, so keeping the anti-malware tools running might help block the downloaded malware before these other payloads get launched. However, people wanting those cracks and cheatcodes disable their security apps, and this habit helps threat actors to use the fact to their advantage.

The newest version of the Amadey malware can find details on the installed antivirus tools and even discover 14 anti-malware products to fetch payloads that can evade those in use. The payload of malware gets installed, bypassing the detection and with privileges of the administrator. Exclusions even get added to Windows Defender using PowerShell before downloading the malware payloads.

To stay away from these bots and malware, avoid downloading these cracked files, software product activators, key generators, and illegitimate software. These tools that get free access to premium products or workarounds for video games are not legal and can lead to simple virus infections and cyber attacks that lead to account credential, file, and cryptocurrency fund losses.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions