Amadey Bot, a notorious malware strain that first came to the cyber threat arena in 2018, is capable of stealing data and deploying other malicious payloads on the compromised system. It has been actively distributed across hacker forums to engage in offensive operations. Cybersecurity researchers have recently observed the distribution of a new version of Amadey Bot malware via SmokeLoader malicious campaigns leveraging software cracks and key generation utilities from websites as lures.

Detect SmokeLoader Deploying AmadeyBot In Most Recent Campaigns

With an ever-increasing number of attack volumes and rapidly evolving threat vectors, cybersecurity practitioners are looking for new ways to proactively strengthen their organization’s defenses. SOC Prime’s Detection as Code platform curates a set of Sigma rules to help global organizations effectively defend against a novel version of Amadey Bot installed through Smoke Loader in the latest adversary campaigns. 

All dedicated Sigma rules are convertible to the industry-leading SIEM, EDR, and XDR solutions and aligned with the MITRE ATT&CK® framework to ensure comprehensive visibility into related threats. Follow the links below to obtain these curated detections crafted by our prolific content contributors and active participants of the Threat Bounty Program, Aykut Gurses, Nattatorn Chuensangarun, and Aytek Aytemur:

SmokeLoader Malware Suspicious Persistence Activity (via cmdline)

This threat hunting query developed by Aykut Gurses detects a persistent attack as a result of user execution of SmokoLoader and Amadey Bot malware pushed via software cracks or keygen websites. The detection rule addresses the Defense Evasion and Execution ATT&CK tactics along with their corresponding techniques, including Modify Registry (T1112), Scheduled Task/Job (T1053), and User Execution (T1204).

Possible SmokeLoader Persistence by Modifying Registry through Amadey Bot Distribution (via process_creation)

The above-mentioned threat hunting query crafted by Nattatorn Chuensangarun detects the malicious activity of SmokeLoader persistence by coping itself to the Temp path through a registry key modification. This Sigma rule addresses the Defense Evasion adversary tactic with the Modify Registry (T1112)  used as its primary technique.

New version of Amadey Bot Distributed Via SmokeLoader (via process_creation)

This Sigma rule by Aytek Aytemur detects the suspicious schtasks.exe activity implemented by the Amadey Bot malware installed by SmokeLoader. The detection addresses the Scheduled Task/Job (T1053) ATT&CK technique from the Execution tactic repertoire.  

Industry experts and aspiring detection content contributors can hone their Detection Engineering and Threat Hunting skills by joining Threat Bounty Program backed by SOC Prime’s crowdsourcing initiative. Author detection content, share it with industry peers, and gain financial rewards for your contributions with a brilliant opportunity for self-advancement. 

To gain access to the entire list of Sigma rules for SmokeLoader malware detection, click the Detect & Hunt button below. Non-registered SOC Prime users can also instantly dive into the comprehensive threat context related to the latest SmokeLoader campaigns downloading Amadey Bot using SOC Prime’s cyber threats search engine. Click the Explore Threat Context button and reach in-depth contextual metadata, including MITRE ATT&CK and CTI references, media links, and more insights accompanied by the latest Sigma rules from SOC Prime’s platform.

Detect & Hunt Explore Threat Context

Since it emerged in 2018, Amadey Bot was frequently used by adversaries to proceed with reconnaissance activities, steal sensitive data from the infected hosts, and deliver additional malicious payloads. While the malware distribution decreased trough 2020-2021, Amadey Bot resurfaced in 2022 with enhanced functionality, switching from Fallout and Rig exploit kits to SmokeLoader as a main delivery method. 

According to the inquiry by AhnLab, SmokeLoader is typically executed by unsuspecting victims as a part of a software cracks or keygens. Thus, the malware successfully overcomes antivirus alerts since users tend to disable protections during software crack installation. Further, SmokeLoader injects the malicious payload into the explorer.exe process and drops Amadey on the compromised system. 

Notably, the latest 3.21 version of Amadey Bot is capable of identifying around 14 antivirus products and evade detection while gaining persistence on the host. After collecting system information, Amadey drops additional malware, including various infostealers, such as RedLine. The malicious payloads are fetched and executed with UAC bypassing and privilege escalation. Moreover, PowerShell is used to exclude Windows Defender and ensure covert installation.

To prevent Amadey Bot and SmokeLoader infection, users are urged to avoid leveraging software cracks and illegitimate key generators. Also, security practitioners can boost their threat detection capabilities and threat hunting velocity by registering to SOC Prime’s Detection as Code platform. The platform aggregates 200,000+ detection algorithms for the existing and emerging threats delivered within 24 hours timeframe and allows to stay one step ahead of attackers. Seasoned Threat Hunters and Security Analysts are most welcome to join our Threat Bounty Program to submit their Sigma rules and get recurrent payouts while contributing to collaborative cyber defense. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts