Threat actors have been leveraging SmokeLoader malware
concealed in cracked software and keygen sites to spread a novel Amadey Bot malware variant, reports BleepingComputer
Executing software crack or keygen with SmokeLoader will prompt the injection of the "Main Bot" in the running 'explorer.exe' process and download of the Amadey malware, which would copy itself to a TEMP folder named 'bguuwe.exe' upon retrieval and execution, a report from AhnLab revealed.
After establishing a scheduled task for persistence, Amadey communicates with a command-and-control server to which it will send a system profile. Fourteen antivirus products could be discovered by the latest iteration of the botnet, the report showed.
Meanwhile, additional plugins and info-stealers, including RedLine, are being fetched from the C2 servers and installed with UAC bypassing and privilege escalation.
Researchers also found that one of the DLL plugins could enable information theft from MikroTik Router Management Program Winbox, FileZilla, Outlook, Pidgin, RealVNC, TightVNC, TigerVNC, Total Commander FTP Client, and WinSCP.