Amadey and SmokeLoader: How do they work

Since the dawn of the computer age people have been fighting against malicious software that can bring huge damage to companies in many different industries.

What's Malware? Definition and Types

When we look up the meaning of Malware in the dictionary we get the following definition: "Software that is written and distributed for malicious purposes, such as impairing or destroying computer systems. Computer viruses are malware". In short, this is the meaning of "malicious soft*ware*", but to dig a little deeper we can see a certain pattern:

• All the various types of malware infiltrate devices without the user's knowledge
• It actively works against the user's interests

Regardless of the type, malware follows a pattern to infect a device: through the download or installation of a contaminated software. This is most often done through mobile phone messages, email, visiting unverified websites and free software download packages.

How does Trojan Horse work?

Ancient Greek poets recounted that Athenian warriors hid inside a giant wooden horse and came out after the Trojans pulled it into the city walls. A Trojan horse is therefore a vehicle for hidden attackers. Digitally, a Trojan Horse is a kind of malware that infiltrates a victim's device by presenting itself as legitimate software. Once installed and activated, it might even download additional malware. After successful infiltration, the malware performs a series of actions, such as:

1. Self-updates
2. Removal of all traces
3. Download other malwares.

SmoakeLoader

A SmokeLoader is a trojan-type malware used to proliferate various other viruses. Cybercriminals proliferate SmokeLoaders using spam emails. After infiltration, it connects to a remote Command and Control (C&C) server to download its latest version. At the same time, it modifies the creation/modification date, making it impossible to detect it when the user tries to check the list of recently modified files.

P.s: Access is blocked because it removes read/write permissions. To "disguise" its connection to the C&C server, it continuously sends requests to legitimate URLs. Based on its behavior, it is considered an advanced kind of trojan. Its presence can lead to serious problems on systems and, when identified, it should be eliminated immediately.

Amadey

According to malpedia, "Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware."

What's the connection between Amadey and Smoke Loader?

Remember how the SmokeLoader might install other viruses? Well... Amadey does the same, with accurate screenshots of the most recent updates in the C&C panel's task list, credential extraction, system metadata and even antivirus engine information. Its main purpose, however, is to deploy additional plugins and remote access trojans whilst it still allows the criminals to conduct a range of post-exploitation activities.

If you're as passionate about the cryptography world as we are (or is simply curious about how it works and impacts your life), be sure to read the posts below:

• Three of the biggest cyberattacks of 2022 - This year we had several attacks, but do you really know about the main ones? Understand how it all really happened and explore our website.
• Symmetric vs Asymmetric Encryption - Are you interested in starting to study the field of cryptography? Start here! Understanding these two concepts is the first step.
• What's cryptography and how it helps to protect your data - Do you understand what cryptography really is? Take a look at how important it is to have it in everyday life.

At Vaultree we are building an encrypted future. We love sharing valuable information and trends to help you keep your data safe. Sign up to stay in the loop and discuss the hottest trends in cybersec with a team of experts.