According to newly released reports, an information-stealing malware known as Amadey is now being distributed by means of the backdoor SmokeLoader. Amadey was first discovered in 2018. In addition to its ability to steal information, Amadey can install additional malware and run commands executed by the attacker. SmokeLoader is a malicious bot application that has been around since 2011 and is known for its use of deception and self-protection to make sure its payloads can be executed on the target system.
These new attacks work by masquerading a SmokeLoader payload as a software crack or serial generation program for popular commercial software. Once this masqueraded SmokeLoader payload is run on the system, it injects itself into the currently running explorer.exe process and downloads the Amadey payload. Amadey then performs numerous steps to install itself, as well as establishing persistence through both a scheduled task and by modifying the location of the startup folder. The malware then collects basic information from the system, such as the computer name and any anti-malware products installed, and sends it back to the Command and Control (C2) server. The C2 server then sends back a command to the infected system to download a plugin used to steal information from common applications, including email, FTP, and VPN clients. Additionally, the malware periodically takes screenshots on the infected system and sends them back to the C2 server.
Once Amadey has infected a system and performed its initial information gathering, the threat actor behind the infection has the capability to install additional malware payloads to achieve any other goals, such as deploying remote access trojans.
It is highly recommended to avoid downloading or installing cracked or pirated software, as they are a common infection vector for threat actors. Many different malware families, including SmokeLoader, are distributed under the guise of cracked software to trick unsuspecting users into infecting their systems. It is also recommended to make sure all software, including the operating system and any web browsers, are up-to-date on patches to help minimize potential infection vectors or reduce the impact of malware execution. Finally, maintaining good endpoint security controls, such as an EDR, will be paramount to help prevent or detect a malware infection occurring. Amadey and SmokeLoader both exhibit abnormal behavior that can be detected and alerted upon. Activity like an explorer process making outbound network connections, the startup folder for a user being modified, an abnormal process making beacon-like network connections to an external system, or PowerShell modifying Windows Defender exclusions are all behaviors that could be considered suspicious on a system. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.