Cybersecurity researchers at AhnLab have detected a new version of an old malware strain, known as Amadey Bot, being distributed through software cracks and keygens.
Many people around the world would rather download a cracked version of expensive software (for example Windows, the Adobe Suite, or similar) from a torrent site, and follow up with a crack/keygen, than purchase a legitimate version that could cost a few hundred dollars.
These cracks and keygens often trigger false positive alerts with antivirus solutions, which makes them an ideal mule to carry malware, especially if the malware can act fast enough, before the victim re-enables the antivirus program. That’s exactly the case here, as AhnLab spotted that through keygens and cracks, threat actors have been distributing SmokeLoader, a malware dropper coded to infect the endpoint with Amadey Bot.
Stealing information and loading more malware
Amadey Bot is a four years old bot, capable of performing system reconnaissance, stealing information from the target endpoint, and dropping additional payloads. It was also said that upon execution, the malware injects “Main Bot” into the currently running explorer.exe process, hiding from antivirus programs in plain sight.
What’s more, it copies itself to the TEMP folder with the name bguuwe.exe, and sets up a scheduled task, making sure it remains on the system even after being terminated. Besides analyzing the target system and stealing information, Amadey is also capable of dropping other malware, among which, AhnLab has found - RedLine (yuri.exe).
ReadLine is a popular, and highly potent stealer, that harvests browsers for saved passwords, autocomplete data, credit card information, and such. The malware also runs a system inventory, pulling in intel such as the username, location data, hardware configuration, and information on security software installed on the device. Newer versions are even able to steal cryptocurrency wallet information, as well as target FTP and IM clients. It can upload and download files, execute commands, and communicate with its C2 server.
The moral of the story is simple - downloading cracked software is simply not worth it, especially today when free, cloud-based alternatives are everywhere.
- Keep your devices safe with the best antivirus solutions around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.