Cyble – The Rise Of Amadey Bot: A Growing Concern For Internet Security
Category

Botnet with Clipper Capabilities being pushed via Phishing Sites

The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan. In 2022, the Amadey bot was used by affiliates of LOCKBIT to spread ransomware to the victims.

Recently, Cyble Research and Intelligence Labs (CRIL) has detected a significant increase in the number of Amadey bot samples, indicating that threat actors are actively utilizing this bot to infect victims’ systems with additional malware. The statistics below depict the frequency of Amadey bot samples observed over Q4-2022.

Figure 1 Amadey bot statistics
Figure 1 – Amadey bot statistics

Initial Infection:

Recently, the Amadey bot has been observed spreading through phishing sites, in addition to its usual method of being downloaded by the smoke loader through spam emails. The phishing site mimics Game Cheat that downloads a “Bossmenu Setup.rar” file from the URL:

  • “hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar”.

Users are shown the phishing site used by the TAs for spreading the Amadey bot when they click the download button, shown in the figure below.

Figure 2 Phishing website downloading Amadey bot
Figure 2 – Phishing website downloading Amadey bot

The downloaded .rar file contains a file named “Seil.exe” (sha256: 0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517), which is responsible for downloading the Amadey bot from the remote server.

The “Seil.exe” file is a .NET compiled file that downloads encrypted content from hxxp[:]//valorantcheatsboss[.]com/upload/bass/808, decrypts it, and loads another DLL module as shown below.

Figure 3 Code snippet to download DLL Module
Figure 3 – Code snippet to download DLL Module

The DLL Module is protected by multiple layers, which finally loads the Amadey bot in the running process “Seil.exe”.

Amadey Bot Technical Analysis

We have taken the below sample hash for analysis (SHA256), b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65, which is a 32-bit VC++ compiled executable file, as shown below.

Figure 4 Static details of loader
Figure 4 – Static details of loader

The Amadey bot malware creates a copy of itself in a random directory located in the %Temp% location and executes it using the ShellExecuteA() API.

  • C:Users[user-name]AppDataLocalTemp4b9a106e76nbveek.exe

After this, the Amadey bot creates a Mutex named “c1ec479e5342a25940592acf24703eb2” to ensure that only one instance of malware is running at any given time on the infected system.

Persistence

The malware establishes persistence by adding a “startup” value in the below registry key.

  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders.

The registry value “Startup” contains the path of the Amadey bot that was dropped in the %temp% location. Using this technique, the Amadey bot executes whenever a user logs in.

Figure 5 Registry entry for persistence
Figure 5 – Registry entry for persistence

The Amadey bot creates persistence by creating a Task Scheduler entry for the sample dropped in the %temp% location. The Task Scheduler configured by the malware is set to execute the malicious sample every minute, as shown below.

Figure 6 Task schedular entry for persistence
Figure 6 – Task scheduler entry for persistence

The Amadey bot now gets the machine’s username and modifies the permission of the file “nbveek.exe” and folder “4b9a106e76” by granting the user to read/write and execute files using the following command.

  • “/k echo Y|CACLS “nbveek.exe” /P “User Name:N”&&CACLS “nbveek.exe” /P “User Name:R” /E&&echo Y|CACLS “..4b9a106e76” /P “User Name:N”&&CACLS “..4b9a106e76” /P “User Name:R” /E&&Exit”

After gaining permission, the malware collects information from the victim’s machine and connects to its C&C server using a POST request, as shown below.

Figure 7 – CC communication
Figure 7 – C&C communication

The POST request contains the following fields with the victim’s sensitive information, such as username, system name, etc.

Field Description
id Victims’ ID
Vs Bot Version Number
Sd Bot ID
Os Operating system version
bi System Architecture
ar Admin Privilege status
pc Victims PC Name
Un Username
dm Domain Name
av Anti-virus name
Lv Unknown
Og Unknown

Upon connecting to a Command and Control (C&C) server, the Amadey bot downloads two DLL files, “cred64.dll” and “clip64.dll,” to the %appdata% location and executes them using rundll32.exe. These files are a credential stealing module and a clipper module, respectively.

The below figure shows the C&C panel of the Amadey bot.

Figure 8 CC panel
Figure 8 – C&C panel of Amadey Bot

Stealer Module

The file Cred64.dll” (SHA256:398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3) is a 64-bit Microsoft Visual C/C++ DLL executable. The figure below shows the static details of the malicious binary file.

Figure 9 Static details of stealer module
Figure 9 – Static details of the stealer module

The “Cred64.dll” module is designed to collect sensitive information from browser files, such as the “Local State” and “Login Data” files.

The “Local State” file is a configuration file that holds various settings and information associated with the browser, including user preferences, the status of open tabs, and the location of the user’s profile folder, which contains information like browsing history, cache, bookmarks, and extensions.

The “Login Data” file contains the user’s saved login credentials, such as usernames and passwords of websites visited by the user. The following table illustrates the web browsers and files targeted to collect victims’ sensitive information.

Chrome GoogleChromeUser DataLocal State GoogleChromeUser DataDefaultLogin Data
Orbitum OrbitumUser DataLocal State OrbitumUser DataDefaultLogin Data
Comodo Dragon ComodoDragonUser DataLocal State ComodoDragonUser DataDefaultLogin Data
Chedot ChedotUser DataLocal State ChedotUser DataDefaultLogin Data
CentBrowser CentBrowserUser DataLocal State CentBrowserUser DataDefaultLogin Data
Opera Software Opera SoftwareOpera StableLocal State Opera SoftwareOpera StableLogin Data
Microsoft Edge MicrosoftEdgeUser DataLocal State MicrosoftEdgeUser DataDefaultLogin Data
SputnikLab SputnikLabSputnikUser DataLocal State SputnikLabSputnikUser DataDefaultLogin Data
Chromium ChromiumUser DataLocal State ChromiumUser DataDefaultLogin Data
Vivaldi VivaldiUser DataLocal State VivaldiUser DataDefaultLogin Data
CocCoc CocCocBrowserUser DataLocal State CocCocBrowserUser DataDefaultLogin Data

The below image shows the assembly code used by the Stealer to collect information from one of the targeted web browsers, “Orbitum”.

Figure 10 – Assembly Code used to collect data from browser
Figure 10 – Assembly Code used to collect data from browsers

Then, the DLL module extracts information related to crypto wallets by querying and reading files from specific directories. The stealer targets the following crypto wallets:

  • %appdata%Armory
  • %appdata%Dogecoin
  • %appdata%Exodusexodus.wallet
  • %appdata%Electrumwallets
  • %appdata%Litecoinwallets
  • %appdata%DashCorewallets
  • %appdata%Monerowallets

Let’s assume the malware cannot access files containing sensitive wallet information. In that event, it uses the Taskkill command to forcefully terminate the crypto wallet client process if it is currently running on the victim’s device using the below commands.

  • Taskkill /IM litecoin-qt.exe /F
  • Taskkill /IM dash-qt.exe /F
  • Taskkill /IM ArmoryQt.exe /F

The below image shows the assembly code used by malware to collect information from one of the targeted crypto wallets Litecoin”.

Figure 11 – Assembly Code used to collect data from crypto wallet
Figure 11 – Assembly Code used to collect data from crypto wallet

The malicious DLL file continues to gather information by searching for specific applications such as FTP client software (WinSCP, FileZilla), Telegram, and Pidgin instant messenger on the victim’s device. It then steals important information from their configuration and session data files.

Finally, the Stealer module communicates with the below C&C server URL and sends the stolen information to the Threat Actor(s).

  • hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php

Clipper Module:

The Clip64.dll (SHA256 : 45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e) is a 32-bit VC++ compiled DLL file which has three export functions named:

  • ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
  • ??4CClipperDLL@@QAEAAV0@ABV0@@Z
  • Main

The “Clip64.dll” is a Clipper module that intercepts cryptocurrency transactions by replacing a victim’s intended recipient with the attacker’s wallet address. It does this by monitoring the clipboard of the victim’s computer and swapping any copied cryptocurrency wallet addresses with the TA’s address. This results in the victim unknowingly sending their funds to the attacker instead of the intended recipient.

When the Clipper module runs, it retrieves the value stored in the clipboard of the victims by utilizing the GetClipBoardData() API function, as shown below.

Figure 12 GetClipBoardData function
Figure 12 – GetClipBoardData() function

Then, the malware checks the data in the clipboard to see if it contains a cryptocurrency wallet address by evaluating it based on certain conditions, such as the length and starting character of the string. If a wallet address is detected, the malware uses the OpenClipBoard(), EmptyClipBoard(), and SetClipBoard() functions to replace the legitimate wallet address with the attacker’s address, as shown below.

Figure 13 Replacing Clipboard value with TAs wallet address
Figure 13 – Replacing Clipboard value with TA’s wallet address.
Cryptocurrencies TA’s Wallet Address
Bitcoin (BTC) bc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77
Ethereum (ETH) 0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D
Dogecoin (DOGE) DBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf
Litecoin (LTC) LdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv
Monero (XMR) 42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcDyS87tyLikjVVJ

CRIL also identified that the Amadey Bot is responsible for downloading various malware families, such as Redline, Manuscript, BrowserHijackers, etc., into the victim’s machine.

Conclusion

In recent years, the design and capabilities of bots have advanced significantly.

A bot like Amadey is fully equipped with features such as system reconnaissance, information stealing, downloading & executing other malware, data exfiltration, and even clipper functionalities in its latest version.

This allows Threat Actors to steal personal, financial, and login information stored in web browsers, which can then be used for various fraudulent activities.

This type of malware’s wide range of capabilities makes them a significant threat to a broad range of potential victims. Cyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Users should also carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1204
T1059
T1218
T1047
T1106
User Execution
Command and Scripting Interpreter
Rundll32
Windows Management Instrumentation
Native API
Persistence T1547
T1053
Registry Run Keys / Startup Folder
Scheduled Task/Job
Defense Evasion T1027
T1497
Obfuscated Files or Information
Virtualization/Sandbox Evasion
Credential Access T1003
T1552
T1552
T1056
OS Credential Dumping
Credentials in Registry
Credentials In Files
Input Capture
Discovery T1082
T1518
T1083
T1087
System Information Discovery
Security Software Discovery
File and Directory Discovery
Account Discovery
Collection T1005
T1213
Data from Local System
Data from Information Repositories
Command and Control T1071
T1095
Application Layer Protocol
Non-Application Layer Protocol

Indicators of Compromise (IOCs)

Indicators Indicator
Type
Description
0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517 Sha256 Seil.exe
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65 Sha256 Amadey Bot
398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3 Sha256 Cred64.dll
45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e Sha256 Clip64.dll
hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar URL Download URL
hxxp[:]//valorantcheatsboss[.]com/upload/bass/808 URL Download URL
hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php URL C&C

Source: https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/