LockBit affiliates use Amadey bot to deploy ransomware

Share post:

LockBit affiliates are using phishing emails to install the Amadey bot to take control of a device and encrypt it.

The malicious software is for sale on illegal forums, and the threat is aimed at companies with phishing emails disguised as job offers or copyright infringement notices.

ASEC researchers discovered Amadey malware distributed by SmokeLoader in July that was hidden in software cracks and serial generation programs available on several websites.

In one of the distribution cases, the threat actors used a malicious Word document called “Sia Sim.docx” It downloads a Word file that contains a malicious VBA macro, and the body of the text contains an image that asks the user to click “Enable Content” to enable the VBA macro.

The text contains an image that asks the user to click “Enable content” to activate the VBA macro, which then executes a PowerShell command to download and execute Amadey. The malicious Microsoft Word document (“.docx”) was uploaded to VirusTotal on October 28, 2022.

In a second distribution method, the threat actors disguised the Amadey malware as a seemingly harmless Word file, but in fact it is an executable (“Resume.exe”). The file is distributed via phishing emails, but ASEC has yet to identify the email used as a lure. Amadey registers with the task scheduler after installation to gain persistence, connects to the C&C server, sends the default information of the infected system, and receives commands.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways