Cybersecurity researchers at AhnLab have detected a new version of an old malware strain, known as Amadey Bot, being distributed through software cracks and keygens.
Many people around the world would rather download a cracked version of expensive software (for example Windows, the Adobe Suite, or similar) from a torrent site, and follow up with a crack/keygen, than purchase a legitimate version that could cost a few hundred dollars.
These cracks and keygens often trigger false positive alerts with antivirus solutions, which makes them an ideal mule to carry malware, especially if the malware can act fast enough, before the victim re-enables the antivirus program. That’s exactly the case here, as AhnLab spotted that through keygens and cracks, threat actors have been distributing SmokeLoader, a malware dropper coded to infect the endpoint with Amadey Bot.
Stealing information and loading more malware
Amadey Bot is a four years old bot, capable of performing system reconnaissance, stealing information from the target endpoint (opens in new tab), and dropping additional payloads. It was also said that upon execution, the malware injects “Main Bot” into the currently running explorer.exe process, hiding from antivirus programs in plain sight.
What’s more, it copies itself to the TEMP folder with the name bguuwe.exe, and sets up a scheduled task, making sure it remains on the system even after being terminated. Besides analyzing the target system and stealing information, Amadey is also capable of dropping other malware, among which, AhnLab has found – RedLine (yuri.exe).
ReadLine is a popular, and highly potent stealer, that harvests browsers (opens in new tab) for saved passwords, autocomplete data, credit card information, and such. The malware (opens in new tab) also runs a system inventory, pulling in intel such as the username, location data, hardware configuration, and information on security software installed on the device. Newer versions are even able to steal cryptocurrency wallet (opens in new tab) information, as well as target FTP and IM clients. It can upload and download files, execute commands, and communicate with its C2 server.
The moral of the story is simple – downloading cracked software is simply not worth it, especially today when free, cloud-based alternatives are everywhere.
- Keep your devices safe with the best antivirus (opens in new tab) solutions around
Via: BleepingComputer (opens in new tab)