Rewterz Threat Alert – CrySIS aka Dharma Ransomware – Active IOCs
April 18, 2023Rewterz Threat Alert – MeterPreter Malware – Active IOCs
April 19, 2023Rewterz Threat Alert – CrySIS aka Dharma Ransomware – Active IOCs
April 18, 2023Rewterz Threat Alert – MeterPreter Malware – Active IOCs
April 19, 2023Amadey Malware, initially identified in 2018, is capable of stealing information and installing new malware in response to directions from the attacker. Rewterz Threat Intelligence Team performed an analysis of the Amadey Malware.
Attack Vector
The threat actors typically distribute the malware through spam emails referencing a package or shipment. Most of these malicious emails claim in the subject line that the package or shipment is from the shipping company.
Modus Operandi
Following is the complete process-working graph generated as a result of the analysis.
Analysis for Phases of Malware Sample
Sample Collection
The threat intelligence team collected this sample on 9th’January’2023 ending with “filename.zip”. While reviewing the initial bytes of the image with the Hex editor, it was observed that the ASCII value is ‘MZ’ referring to it as an executable.
Figure 1 ASCII Translation of EXE Extension
Execution
The execution vector is dependent upon the tricking user into clicking the file attachment.
Persistence
- During sample analysis, the malware downloads the executable in a startup folder on the below paths. 1.“\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup”
- 2.”%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”
As we continue to analyze the above processes, nbveek executed itself from the TEMP path, ensuring it will persist even after a system reboot. It registers itself as a scheduled task in the system.
Figure 2 Scheduled Task
Initiating C2 Channel
On executing the malware sample, it created the executable file “nbveek.exe” in %temp% folder. nbveek.exe successfully established a tcp connection with 62[.] 204[.]41[.]151.
Figure 3 TCP Connection
The malware then collected information about the infected system. The information collected includes basic information such as computer name and user name, as well as a list of installed anti-malware products.
URL Encoding as Means to Share System Artifacts
The malware sample also passed system information using URL-encoded requests.
Figure 4 HTTP Request
Parameters containing information passed to the client.
Key | Value |
Id=795348421152 | Identification. Computed based on Volume Serial Number. |
Vs=3.65 | Amadey version |
Sd=8b4dad | Amadey ID |
Ar=1 | If the victim user has administrative privilege, the value is 1. Otherwise, it is 0. |
Bi=1 | “1” for 64-bit. “0” for 32 bits. |
Lv=1 | Install additional malware if the value is 0. |
Os=1 | Windows versions: Windows 7 – 9 Windows 10 – 1 Windows Server 2012 – 4 Windows Server 2019 – 16 |
Av=13 | If there is no antivirus product, it is 0. Otherwise, it is assigned a number. |
Pc=ComputerName | Computer name from GetComputerNameA |
Un=Username | User name from GetUserNameA |
Parameter av=’13’ is chosen if the infected environment is Windows 10, it is likely the number is reserved for Windows Defender. It matches the lab setup we configure for testing malware.
AV Product | Code |
AVAST Software | 1 |
Avira | 2 |
Kaspersky Lab | 3 |
ESET | 4 |
Panda Security | 5 |
Doctor Web | 6 |
AVG | 7 |
360TotalSecurity | 8 |
BitDefender | 9 |
Norton | 10 |
Sophos | 11 |
Comodo | 12 |
Windows Defender | 13 (assumed) |
More Stages of Infection
Analyzing the captured communication shows that two URLs. Both seem to be executable resources hosted by the C2 server highlighted in red.
Figure 5 HTTP Response
1. Portu.exe
2. Anon.exe
Portu.exe
We have found that portu.exe is collecting the system’s information and sending over the C2 server encapsulated in a web request.
C2 Server IP: 62.204.41.211
Figure 6 Web request
Anon.exe
We found the staged module “anon.exe” response contains keywords that resemble the folders found under “APPDATA”.
Figure 7 Staged module
By performing the response analysis, we can conclude that Anon.exe is bound to perform Appdata search for the user profiles found in the infected system. Some specific searches are:
- Crypto Currency Wallets.
- User browser information.
Remediations from Rewterz
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enact the Concept of Least Privilege.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Restrict installation of untrusted 3rd Party applications.
- Monitor remote connections and maintain logs of all activities. Limit access to administrative accounts and portals to only relevant personnel and ensure they are not publicly accessible.
- Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administrative security policies along with a password change policy every few months.
- Whenever possible, limit VPN access to only authorized devices. Any attempt to connect from another device should be denied.
- Enable two-factor authentication (2FA) on remote sessions, especially for connections to the corporate network.
- Update spam and anti-phishing software and configurations to increase security.
- Block subjected IP “62.204.41.151” and “82.115.223.15”
- Update the Hash “33520cb1209409f60c2feb681777e52f315152ff2f14af1c59e7001b0c21f945” and “9a270017dd339531fffc6abb0fb77506b2bf973f4676fc191233470cf902a4a6” on your subjected controls.
Note: The above analysis is performed under Rewterz provisioned environment. Rewterz Cyber Reports can be found at Rewterz Threat Intelligence Labs. In case, you have any malware samples, or binaries, that need to be analyzed, contact us at info@rewterz.com.