HYAS Threat Intel Report April 15 2024

Weekly Threat Intelligence Report

Date: April 15, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Each week, we are sharing what we are seeing in our HYAS Insight threat intelligence and investigation platform, specifically autonomous system numbers (ASNs) and malware origins, as well as the most prominent malware families. This week, we were intrigued by the Amadey malware family and increased activity in certain areas. The threat posed by the Amadey malware family looms large, targeting individuals, businesses, and organizations across sectors with sophisticated tactics aimed at stealing sensitive information, compromising systems, and wreaking havoc.

We look at the intricacies of the Amadey malware family, exploring its modular architecture, propagation methods, malicious techniques, notable campaigns, and the entities it targets. By dissecting the inner workings of this pervasive threat and providing actionable insights, we hope to better equip cybersecurity professionals, organizations, and individuals with the knowledge needed to bolster their defenses and mitigate the risks posed by Amadey and similar malware variants. Read on to learn what we found.

Overview of the Amadey Malware Family

Amadey malware has garnered attention as it reportedly finds its way into the digital underworld through Russian language crime forums, according to research conducted by Blackberry Japan. This notoriety stems from its availability for purchase, catering to threat actors seeking to amplify their malicious activities. One of its notable features is its adaptability, as it can be deployed through various means such as phishing, exploiting vulnerabilities, or leveraging credential stuffing techniques. This versatility provides malicious actors with multiple avenues to initiate their attacks, allowing them to tailor their approach based on their targets' vulnerabilities and security measures.

Functionally, Amadey operates primarily as an infostealer, designed to infiltrate systems and exfiltrate sensitive information. However, its utility extends beyond mere data theft, often serving as a conduit for the deployment of additional malware payloads, including ransomware. This dual capability enhances its potency, enabling threat actors to not only harvest valuable data but also to potentially cripple systems and demand ransom payments for their restoration.

Interestingly, despite its origins and purported distribution through Russian language crime forums, Amadey exhibits a peculiar self-imposed restriction. It employs a geofencing mechanism to evade operation on systems set to Russian language settings, as revealed by its method of checking the language of the host PC. This strategic limitation suggests a level of caution or self-preservation within the malware's design, potentially aimed at avoiding unwanted attention from law enforcement agencies within its home jurisdiction or adhering to certain ethical codes prevalent within the cybercriminal community.

Remote Access Trojan (RAT)

Amadey is a malware family recognized as a Remote Access Trojan (RAT) generally used in reconnaissance operations. It allows attackers to remotely control infected systems, which can include tasks such as downloading and executing additional malware, harvesting data, or taking screenshots. Past campaigns using this malware family have been known to target non-Russian-speaking countries.

Modular Architecture: Amadey is known for its modular architecture, allowing it to adapt and execute various malicious functionalities based on the attacker's objectives. Modules can include keylogging, credential stealing, remote access, and more.

Propagation: Amadey spreads through phishing emails, malicious attachments, exploit kits, and compromised websites. Once executed, the malware silently installs itself on the system and initiates malicious activities.

Persistence Mechanisms: Amadey maintains persistence by creating registry entries, modifying startup settings, or dropping executable files in system directories.

Command and Control (C2) Communication: Amadey communicates with command-and-control servers to receive commands, exfiltrate data, and receive updates. Communication is often encrypted to evade detection.

Don’t miss our upcoming threat intelligence webinar!
Cyber Surveillance: Tracking New Malware Threats
April 30th at 10:00am PST / 1:00pm EST
Register here

Amadey Malware’s Preferred Targets

Amadey malware primarily targets individuals, small to medium-sized businesses (SMBs), and enterprises. However, its reach can extend to any organization or individual with internet-connected devices, especially those with valuable data or financial assets. Here are some specific entities that may be targeted by Amadey:

Individual Users: Amadey often targets individual users through phishing emails, malicious downloads, or compromised websites. These attacks aim to steal personal information, financial credentials, and other sensitive data.

SMBs: Small to medium-sized businesses are common targets for Amadey due to potentially weaker cybersecurity defenses compared to larger enterprises. Attackers may seek to steal business-related information, login credentials, or financial data for various illicit purposes.

Enterprises: Larger enterprises may also fall victim to Amadey attacks, especially if they have valuable intellectual property, customer data, or financial resources. These attacks can result in significant financial losses, reputational damage, and legal consequences.

Financial Institutions: Financial institutions, including banks, credit unions, and financial service providers, are prime targets for Amadey attacks due to the potential for lucrative financial gain. Attackers may attempt to steal banking credentials, conduct fraudulent transactions, or compromise financial systems.

Government Organizations: Government agencies and institutions may be targeted by Amadey for espionage, data theft, or disruption of critical infrastructure. These attacks can have far-reaching implications for national security and public safety.

Healthcare Sector: The healthcare sector is increasingly targeted by cybercriminals, including those distributing Amadey malware. Attackers may seek to steal patient data, medical records, or personally identifiable information (PII) for identity theft or extortion purposes.

Overall, Amadey malware casts a wide net, targeting entities across various sectors and industries, regardless of size or prominence. It underscores the importance of robust cybersecurity measures and proactive threat detection to mitigate the risks associated with such attacks.

Techniques Employed by Amadey

Keylogging: Amadey captures keystrokes, allowing attackers to steal usernames, passwords, and other credentials.

Credential Theft: Amadey steals credentials from web browsers, email clients, FTP applications, and other software.

Remote Access: Some variants allow attackers full control over infected systems, enabling execution of commands and file manipulation.

Data Exfiltration: Stolen data is exfiltrated to attacker-controlled servers via encrypted channels.

The new and free(!) HYAS Insight Intel Feed is a new kind of intelligence feed that enables your SOC triage process, incident response, and threat hunting. 

Notable Amadey Campaigns

Spread via Email Attachments: Amadey is distributed through phishing emails with malicious attachments.

Exploit Kits: Some variants leverage exploit kits to infect vulnerable systems.

Malvertising: Amadey is distributed through malicious advertisements on compromised websites.

Social Engineering Tactics: Campaigns employ fake software updates, security alerts, or free download offers to trick users.

Indicators of Compromise (IOCs)

File Hashes:
MD5: ca52fe78cea93be27c9c417d3194889
MD5: 2dcbc3cb49166a47f8a4371fcc2f5f6c

IP Addresses:
185[.]215[.]113[.]32
4[.]185[.]137[.]132
185[.]215[.]113[.]32

Mitigation Strategies

User Education: Educating users about the dangers of phishing emails, suspicious attachments, and malicious links can help prevent infections by Amadey and similar malware.

Security Software: Deploying robust antivirus and endpoint security solutions can help detect and block known variants of Amadey, as well as identify suspicious behavior indicative of malware activity.

Patch Management: Keeping software and operating systems up to date with the latest security patches can mitigate the risk of exploitation by exploit kits and other malware delivery methods.

Network Monitoring: Implementing network monitoring solutions can help detect and block communication attempts by Amadey with its command-and-control servers, preventing data exfiltration and further compromise.

What Does It All Mean?

Adam Lopez, Director of Solutions Engineering at HYAS, weighs in with his analysis.

The IP addresses we found suggest a geographically dispersed operation, leveraging infrastructure in Europe and North America. This implies a strategic choice to use hosting services in different jurisdictions, potentially to complicate cross-border law enforcement efforts and to leverage robust infrastructure that can support global campaigns.

The choice of ISPs could indicate threat actors’ preferences for providers with permissive abuse policies or those in jurisdictions with less stringent law enforcement cooperation. This preference might facilitate the longevity of their malicious infrastructure.

While cross-referencing with threat intelligence platforms can aid attribution, the use of common infrastructure by multiple actors complicates this process. Accurate attribution requires correlating multiple IOCs and considering contextual information from a variety of sources. The use of these IPs as C2 servers and distribution points underscores the need for advanced network monitoring and endpoint detection to identify and disrupt the communication channels malware relies on.

Amadey’s flexible architecture illustrates a trend where malware is developed with a service-oriented approach, providing customization options for various cybercriminal customers. This plug-and-play functionality increases the threat surface as it lowers the barrier to entry for less technically skilled threat actors.

The commercial availability of Amadey on underground forums represents the CaaS model’s expansion, making sophisticated tools accessible to a wider range of malicious actors. This democratization of access increases the scale and frequency of attacks.

The wide range of targets and tactics used in Amadey campaigns reflects the dynamic and opportunistic nature of modern cyber threats. It emphasizes the need for a multi-layered security approach tailored to different risk profiles.

Given the sectors targeted by Amadey, including finance and healthcare, there are significant implications for data protection and regulatory compliance. These sectors must prioritize defense mechanisms that go beyond basic cybersecurity hygiene.

In conclusion, the Amadey malware family poses a significant threat to individuals and organizations alike, leveraging various propagation and evasion techniques to infect and compromise systems. By understanding its characteristics, techniques, and notable campaigns, as well as implementing effective mitigation strategies, organizations can better protect themselves against this persistent threat.

Want to see some malware detonated? Join our upcoming webinar on April 30th at 10:00am PST / 1:00pm EST
Cyber Surveillance: Tracking New Malware Threats
Register here


Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read last week's report:
HYAS Threat Intel Report - April 8, 2024

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.  

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Back to Blog