AhnLab cybersecurity researchers have detected a new version of an old malware strain, known as Amadey Bot, distributed via software cracks and keygens.
Many people around the world prefer to download a cracked version of expensive software (eg Windows, Adobe Suite or similar) from a torrent site and follow up with a crack/keygen, rather than buy a legitimate version which may cost a few. hundred dollars.
These cracks and keygens often trigger false positives with antivirus solutions, making them an ideal mule for carrying malware, especially if the malware can act fast enough, before the victim reactivates the antivirus program. This is exactly the case here, as AhnLab discovered that through keygens and cracks, threat actors distributed SmokeLoader, a malware dropper encoded to infect the terminal with Amadey Bot.
Steal information and upload more malware
Amadey Bot is a four-year-old bot capable of performing system reconnaissance, stealing information from the target endpoint (opens in a new tab), and dropping additional payloads. It has also been said that upon execution, the malware injects "Main Bot" into the running explorer.exe process, hiding itself from antivirus programs in plain sight.
Furthermore, it copies itself to the TEMP folder with the name bguuwe.exe and sets up a scheduled task, making sure that it remains on the system even after it is completed. In addition to scanning the target system and stealing information, Amadey is also capable of dropping other malware, among which he found AhnLab: RedLine (yuri.exe).
ReadLine is a popular and very powerful browser hijacker (opens in a new tab) to store passwords, autofill data, credit card information, and more. The malware (Opens in a new tab) also runs a system inventory, extracting information such as username, location data, hardware configuration, and information about security software installed on the device. Newer versions are even capable of stealing cryptocurrency wallet information (opens in a new tab), as well as targeting FTP and IM clients. You can upload and download files, execute commands and communicate with your C2 server.
The moral of the story is simple: downloading pirated software is simply not worth it, especially today when free cloud-based alternatives are everywhere.
- Protect your devices with the best antivirus solutions (Opens in a new tab)
Via: BleepingComputer (Opens in a new tab)