Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
July 27, 2022Rewterz Threat Advisory – CVE-2022-36336 – Trend Micro Apex One and Worry-Free Business Security Vulnerability
July 28, 2022Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
July 27, 2022Rewterz Threat Advisory – CVE-2022-36336 – Trend Micro Apex One and Worry-Free Business Security Vulnerability
July 28, 2022Severity
High
Analysis Summary
Recently, the SmokeLoader is used by the Amadey Bot malware’s creators to spread a newer version via keygen and crack sites. Amadey Bot is a data-stealing malware, enables operators to install additional payloads and is available for sale on underground forums.
The Amadey malware is delivered by SmokeLoader, which is concealed in software cracks and serial generating applications that can be found on a variety of websites. Smokeloader acts as a loader for other malware, it injects Main Bot into the presently operating explorer process (explorer.exe) and downloads the Amadey malware into the system.
When the malware is executed, it registers the folder as a starting folder in order to sustain persistence. The malware communicates with the C2 and delivers system information (machine name, user name, OS version, list of installed anti-malware solutions) to operators. The server responds with instructions to download additional plugins and information-stealing malware, for example RedLine.
Amadey employs a program called ‘FXSUNATD.exe’ and elevates to admin through DLL hijacking. The payloads are downloaded and deployed using privilege escalation and UAC bypassing. Amadey also regularly takes screenshots, saves them in the TEMP folder, and then sends them to the C2 with the subsequent POST request.
According to researchers, the malware steals information such as emails, FTPs, VPN clients, and so on. The information-stealing plug-in is capable of targeting the following software:
- Mikrotik Router Management Program Winbox
- Outlook
- FileZilla
- Pidgin
- Total Commander FTP Client
- RealVNC, TightVNC, TigerVNC
- WinSCP
Software cracks and keygen websites can be used to trick victims into downloading this malware that can steal their personal information.
Impact
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- c3b7cf4c76cc20e56b180b001535696f
- 0f4351c43a09cb581dc01fe0ec08ff83
- 600bb5535d0bfc047f5c61f892477045
- 18bb226e2739a3ed48a96f9f92c91359
SHA-256
- c622b5e7414dc566aa034d34b60b4ee2bae32a802c32fe3e95f039df8f2907ee
- 02989f6664dd6098efe0d9717187cd57fd2ab9d7c1fc9fd8d49817aa81d80caa
- 3816b4b0c59edf9d7a1948dd1f889fb9c9cd6476170084574e47a798415fe454
- ff4e76fc977192dedaf23080d2a557f2023d579fb32dcacfaf2d4745fb9c85d1
SHA-1
- ac07bcd011fbc57f143e1ebc8bdeff2e70c050f8
- 07c96d4348f195664d7cc90e575d2496c5c43389
- 2f901fa03d9361747c773a3d131dd2060754e289
- 32738ba5a82e9394232b7a844b410adef82e9f5b
URL
- http[:]//185[.]17[.]0[.]52/yala[.]exe
- http[:]//185[.]17[.]0[.]52/yuri[.]exe
- http[:]//185[.]17[.]0[.]52/Proxy[.]exe
- http[:]//185[.]17[.]0[.]52/a[.]exe
- http[:]//185[.]17[.]0[.]52/ama[.]exe
Remediation
- Avoid downloading cracked files, software product activators, and illegitimate key generators.
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.
- Do not download such files from the internet without confirming their legitimacy.