According to newly released reports, an information-stealing malware known as Amadey is now being distributed by means of the backdoor SmokeLoader. Amadey was first discovered in 2018. In addition to its ability to steal information, Amadey can install additional malware and run commands executed by the attacker. SmokeLoader is a malicious bot application that has been around since 2011 and is known for its use of deception and self-protection to make sure its payloads can be executed on the target system.
These new attacks work by masquerading a SmokeLoader payload as a software crack or serial generation program for popular commercial software. Once this masqueraded SmokeLoader payload is run on the system, it injects itself into the currently running explorer.exe process and downloads the Amadey payload. Amadey then performs numerous steps to install itself, as well as establishing persistence through both a scheduled task and by modifying the location of the startup folder. The malware then collects basic information from the system, such as the computer name and any anti-malware products installed, and sends it back to the Command and Control (C2) server. The C2 server then sends back a command to the infected system to download a plugin used to steal information from common applications, including email, FTP, and VPN clients. Additionally, the malware periodically takes screenshots on the infected system and sends them back to the C2 server.
Once Amadey has infected a system and performed its initial information gathering, the threat actor behind the infection has the capability to install additional malware payloads to achieve any other goals, such as deploying remote access trojans.