Amadey Bot Teams Up With SmokeLoader

Industry: N/A | Level: Tactical | Source: ASEC

ASEC analysis team's tracking of information stealing malware, Amadey Bot found it being installed by SmokeLoader malware. Recent campaigns distributing Smokeload have masqueraded the malware as cracked software. When downloaded and executed SmokeLoader injects itself into a running explorer process to initiate the download of Amadey Bot. When executed Amadey will copy itself to the Temp path and creates persistence in the startup folder. Once the setup is complete, Amadey will collect system information to exfiltrate to the attacker's command and control server. Amadey can download modules or payloads for information stealing. Modules are executed with rundll32 and malicious executables are launched to tamper with Windows Defender configurations.

Anvilogic Scenario:

• Smokeloader & Amadey Malware - Infection

Anvilogic Use Cases:

• Rare Remote Thread
• Executable Process from Suspicious Folder
• Registry key added with reg.exe

‍