Threat actors use software cracks and keygen sites to lure victims into downloading information-stealing malware.
Cybercriminals have started using SmokeLoader malware to install Amadey Bot malware on victim’s devices, researchers at ASEC claim.
Amadey Bot is used to steal information and install additional malware by receiving commands from the attacker. Meanwhile, SmokeLoader provides attackers with additional features related to info-stealing and plugins.
Researchers claim that people behind Amadey pack the malware into SmokeLoader and hide the duo in software cracks and serial-key-generation software on multiple dedicated websites.
“When SmokeLoader is run, it injects Main Bot into the currently running explorer process (explorer.exe). This means Bot that performs actual malicious behaviors operates inside the explorer process,” reads the ASEC’s report.
Once executed, Amadey malware copies itself to a Temp folder and registers the folder where it exists as a startup folder to allow itself to be run after reboot.
Once up and running, the malware starts communicating with the command and control (C2) server. Malware operators receive information on the target’s computer name, username, OS version, and details about installed antivirus malware.
Working with the received information, the server instructs the malware to download additional plugins and copies of more information-stealing software. The info-stealers target emails, FTPs, VPN clients, and other software.
ASEC listed Mikrotik router management software, Outlook, FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, and WinSCP as the main targets of the info-stealers Amadey infects target computers with.
“Once the malware is installed, it can stay in the system to steal user information and download additional payloads. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance,” concludes the report.
More from Cybernews:
Subscribe to our newsletter