Botnet with Clipper Capabilities being pushed via Phishing Sites
The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan. In 2022, the Amadey bot was used by affiliates of LOCKBIT to spread ransomware to the victims.
Recently, Cyble Research and Intelligence Labs (CRIL) has detected a significant increase in the number of Amadey bot samples, indicating that threat actors are actively utilizing this bot to infect victims’ systems with additional malware. The statistics below depict the frequency of Amadey bot samples observed over Q4-2022.
Initial Infection:
Recently, the Amadey bot has been observed spreading through phishing sites, in addition to its usual method of being downloaded by the smoke loader through spam emails. The phishing site mimics Game Cheat that downloads a “Bossmenu Setup.rar” file from the URL:
- “hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar”.
Users are shown the phishing site used by the TAs for spreading the Amadey bot when they click the download button, shown in the figure below.
The downloaded .rar file contains a file named “Seil.exe” (sha256: 0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517), which is responsible for downloading the Amadey bot from the remote server.
The “Seil.exe” file is a .NET compiled file that downloads encrypted content from hxxp[:]//valorantcheatsboss[.]com/upload/bass/808, decrypts it, and loads another DLL module as shown below.
The DLL Module is protected by multiple layers, which finally loads the Amadey bot in the running process “Seil.exe”.
Amadey Bot Technical Analysis
We have taken the below sample hash for analysis (SHA256), b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65, which is a 32-bit VC++ compiled executable file, as shown below.
The Amadey bot malware creates a copy of itself in a random directory located in the %Temp% location and executes it using the ShellExecuteA() API.
- C:Users[user-name]AppDataLocalTemp4b9a106e76nbveek.exe
After this, the Amadey bot creates a Mutex named “c1ec479e5342a25940592acf24703eb2” to ensure that only one instance of malware is running at any given time on the infected system.
Persistence
The malware establishes persistence by adding a “startup” value in the below registry key.
- HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders.
The registry value “Startup” contains the path of the Amadey bot that was dropped in the %temp% location. Using this technique, the Amadey bot executes whenever a user logs in.
The Amadey bot creates persistence by creating a Task Scheduler entry for the sample dropped in the %temp% location. The Task Scheduler configured by the malware is set to execute the malicious sample every minute, as shown below.
The Amadey bot now gets the machine’s username and modifies the permission of the file “nbveek.exe” and folder “4b9a106e76” by granting the user to read/write and execute files using the following command.
- “/k echo Y|CACLS “nbveek.exe” /P “User Name:N”&&CACLS “nbveek.exe” /P “User Name:R” /E&&echo Y|CACLS “..4b9a106e76” /P “User Name:N”&&CACLS “..4b9a106e76” /P “User Name:R” /E&&Exit”
After gaining permission, the malware collects information from the victim’s machine and connects to its C&C server using a POST request, as shown below.
The POST request contains the following fields with the victim’s sensitive information, such as username, system name, etc.
| Field | Description |
| id | Victims’ ID |
| Vs | Bot Version Number |
| Sd | Bot ID |
| Os | Operating system version |
| bi | System Architecture |
| ar | Admin Privilege status |
| pc | Victims PC Name |
| Un | Username |
| dm | Domain Name |
| av | Anti-virus name |
| Lv | Unknown |
| Og | Unknown |
Upon connecting to a Command and Control (C&C) server, the Amadey bot downloads two DLL files, “cred64.dll” and “clip64.dll,” to the %appdata% location and executes them using rundll32.exe. These files are a credential stealing module and a clipper module, respectively.
The below figure shows the C&C panel of the Amadey bot.
Stealer Module
The file “Cred64.dll” (SHA256:398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3) is a 64-bit Microsoft Visual C/C++ DLL executable. The figure below shows the static details of the malicious binary file.
The “Cred64.dll” module is designed to collect sensitive information from browser files, such as the “Local State” and “Login Data” files.
The “Local State” file is a configuration file that holds various settings and information associated with the browser, including user preferences, the status of open tabs, and the location of the user’s profile folder, which contains information like browsing history, cache, bookmarks, and extensions.
The “Login Data” file contains the user’s saved login credentials, such as usernames and passwords of websites visited by the user. The following table illustrates the web browsers and files targeted to collect victims’ sensitive information.
| Chrome | GoogleChromeUser DataLocal State GoogleChromeUser DataDefaultLogin Data |
| Orbitum | OrbitumUser DataLocal State OrbitumUser DataDefaultLogin Data |
| Comodo Dragon | ComodoDragonUser DataLocal State ComodoDragonUser DataDefaultLogin Data |
| Chedot | ChedotUser DataLocal State ChedotUser DataDefaultLogin Data |
| CentBrowser | CentBrowserUser DataLocal State CentBrowserUser DataDefaultLogin Data |
| Opera Software | Opera SoftwareOpera StableLocal State Opera SoftwareOpera StableLogin Data |
| Microsoft Edge | MicrosoftEdgeUser DataLocal State MicrosoftEdgeUser DataDefaultLogin Data |
| SputnikLab | SputnikLabSputnikUser DataLocal State SputnikLabSputnikUser DataDefaultLogin Data |
| Chromium | ChromiumUser DataLocal State ChromiumUser DataDefaultLogin Data |
| Vivaldi | VivaldiUser DataLocal State VivaldiUser DataDefaultLogin Data |
| CocCoc | CocCocBrowserUser DataLocal State CocCocBrowserUser DataDefaultLogin Data |
The below image shows the assembly code used by the Stealer to collect information from one of the targeted web browsers, “Orbitum”.
Then, the DLL module extracts information related to crypto wallets by querying and reading files from specific directories. The stealer targets the following crypto wallets:
- %appdata%Armory
- %appdata%Dogecoin
- %appdata%Exodusexodus.wallet
- %appdata%Electrumwallets
- %appdata%Litecoinwallets
- %appdata%DashCorewallets
- %appdata%Monerowallets
Let’s assume the malware cannot access files containing sensitive wallet information. In that event, it uses the Taskkill command to forcefully terminate the crypto wallet client process if it is currently running on the victim’s device using the below commands.
- Taskkill /IM litecoin-qt.exe /F
- Taskkill /IM dash-qt.exe /F
- Taskkill /IM ArmoryQt.exe /F
The below image shows the assembly code used by malware to collect information from one of the targeted crypto wallets “Litecoin”.
The malicious DLL file continues to gather information by searching for specific applications such as FTP client software (WinSCP, FileZilla), Telegram, and Pidgin instant messenger on the victim’s device. It then steals important information from their configuration and session data files.
Finally, the Stealer module communicates with the below C&C server URL and sends the stolen information to the Threat Actor(s).
- hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php
Clipper Module:
The Clip64.dll (SHA256 : 45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e) is a 32-bit VC++ compiled DLL file which has three export functions named:
- ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
- ??4CClipperDLL@@QAEAAV0@ABV0@@Z
- Main
The “Clip64.dll” is a Clipper module that intercepts cryptocurrency transactions by replacing a victim’s intended recipient with the attacker’s wallet address. It does this by monitoring the clipboard of the victim’s computer and swapping any copied cryptocurrency wallet addresses with the TA’s address. This results in the victim unknowingly sending their funds to the attacker instead of the intended recipient.
When the Clipper module runs, it retrieves the value stored in the clipboard of the victims by utilizing the GetClipBoardData() API function, as shown below.
Then, the malware checks the data in the clipboard to see if it contains a cryptocurrency wallet address by evaluating it based on certain conditions, such as the length and starting character of the string. If a wallet address is detected, the malware uses the OpenClipBoard(), EmptyClipBoard(), and SetClipBoard() functions to replace the legitimate wallet address with the attacker’s address, as shown below.
| Cryptocurrencies | TA’s Wallet Address |
| Bitcoin (BTC) | bc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77 |
| Ethereum (ETH) | 0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D |
| Dogecoin (DOGE) | DBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf |
| Litecoin (LTC) | LdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv |
| Monero (XMR) | 42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcDyS87tyLikjVVJ |
CRIL also identified that the Amadey Bot is responsible for downloading various malware families, such as Redline, Manuscript, BrowserHijackers, etc., into the victim’s machine.
Conclusion
In recent years, the design and capabilities of bots have advanced significantly.
A bot like Amadey is fully equipped with features such as system reconnaissance, information stealing, downloading & executing other malware, data exfiltration, and even clipper functionalities in its latest version.
This allows Threat Actors to steal personal, financial, and login information stored in web browsers, which can then be used for various fraudulent activities.
This type of malware’s wide range of capabilities makes them a significant threat to a broad range of potential victims. Cyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Users should also carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1218 T1047 T1106 |
User Execution Command and Scripting Interpreter Rundll32 Windows Management Instrumentation Native API |
| Persistence | T1547 T1053 |
Registry Run Keys / Startup Folder Scheduled Task/Job |
| Defense Evasion | T1027 T1497 |
Obfuscated Files or Information Virtualization/Sandbox Evasion |
| Credential Access | T1003 T1552 T1552 T1056 |
OS Credential Dumping Credentials in Registry Credentials In Files Input Capture |
| Discovery | T1082 T1518 T1083 T1087 |
System Information Discovery Security Software Discovery File and Directory Discovery Account Discovery |
| Collection | T1005 T1213 |
Data from Local System Data from Information Repositories |
| Command and Control | T1071 T1095 |
Application Layer Protocol Non-Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| 0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517 | Sha256 | Seil.exe |
| b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65 | Sha256 | Amadey Bot |
| 398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3 | Sha256 | Cred64.dll |
| 45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e | Sha256 | Clip64.dll |
| hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar | URL | Download URL |
| hxxp[:]//valorantcheatsboss[.]com/upload/bass/808 | URL | Download URL |
| hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php | URL | C&C |
Related
Source: https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/