# A Study on Long-Term Trends about Amadey C2 Infrastructure ##### BlackBerry Japan Principal Threat Researcher Masaki Kasuya Ph.D. ----- ### Outline ##### • Background and motivation • What’s Amadey? • Evaluation • Lessons Learned • Conclusion ----- ### Background ##### • A variety of malware families have emerged in recent years ###### • Redline, Amadey, Emotet ##### • We see ###### • Deep-dive malware analysis Sh t t t d h ###### https://any.run/malware-trends/ ----- ### Difficulty of Long-term Trend Research #### • Long-term trend research is harder than deep-dive analysis / short-term trend research ##### • C2 communication protocol changes due to version update • Encode / encrypt C2 communication • Scalability • Server-side evasion ----- ### Benefit to Understand Long-term Analysis Result #### • Security practitioners / researchers understand ##### • Will a new malware family become a major threat? • What type of malware do attackers spread via bot network? • Time-to-Live of C2 servers • Where do attackers upload additional payload? ----- ### Motivation #### • Create an infrastructure for long-term trend research ##### • This talk covers Amadey #### • Share lessons learned from findings from this project ##### • Collected and analyzed long-term trend for 50 months ----- ### Amadey ##### • Appeared in the second half of 2018 ###### • https://pastebin.com/U415KmF3 ##### • A Russian made malware ###### https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot Figure 11 ##### • The price was 600 USD at that time ----- ### Amadey as an Infostealer ##### • Collect victim computer information ----- ### Plug-ins for Amadey #### • DLLs for ##### • Credential stealer • Screenshot • 2020/May ~ ----- ### Request Parameters ##### • They contain basic victim information ###### • Added some parameters due to version update Ver 1 Ver 3 ----- ### Response Data ##### • Amadey encrypts response data with RC4 recently ###### • Confirmed Version 4.X since 2023/Nov RC4 + Base64 RC4 + Hex string ----- ### Overview of Amadey Emulator ##### • Create and send dummy C2 request ###### • Give C2 URL, Version number, Amadey ID and RC4 key as “feed” data • Amadey emulator generates other parameters appropriately ##### • VPN Destination ###### • US, UK, JP and Others ----- ### Evaluation ##### • Sent dummy request to 529 Amadey C2 servers (twice a day) ###### • 2019/10/24 – 2023/11/18 (around 50 months) • Eliminated dead C2 servers appropriately • Checked whether C2 servers are active or not • Active: 335 C2 servers • In-active: 194 C2 servers • Downloaded unique 5,422 additional payloads ----- ### The Number of Active C2 Servers (Daily Basis) ##### • Increased since 2022/Nov • It dropped on 2023/Nov due to Ver 4 ----- ### VirusTotal Upload History about Amadey ##### • Confirmed Amadey variants constantly since 2021 • The number of variants increased dramatically since 2022/Oct ----- ### Additional Payloads via Amadey ###### • Amadey users spread additional payloads actively since later 2021 • The number of additional payloads increased dramatically in 2023 ----- ### To Become a Major Threat in case of Amadey #### • Amadey has taken four years since it appeared ##### • ~ 2021: it is not so active • 2021 ~: attackers tend to use Amadey • 2022/Oct ~ : Amadey became a major threat ----- ### Appeared Malware Families via Amadey ##### • Confirmed 100 families for 50 months ###### • Collected unique 5,422 samples RedlineStealer SystemBCProxy Ficker CinoshiStealer Cat4er Dropper EternityClipper TeamSpy PovertyStealer ImBetter Vidar ClipBanker Kronos Kraken r77Rootkit XMRig ManusCrypt QuasarRAT Kpot ObserverStealer Amadey Async_RAT HVNCRAT Tinynuke GurcuStealer SmokeLoader AuroraStealer AlphaIRCBot BanditStealer ArrowRAT RhadamanthysStealer zgRAT Keylogger ParallaxRAT LockBit Downloader EternityWorm Stealc Solarmarker LolMiner Remcos PandoraHVNC XWorm XFilesStealer Erica CoinMiner AveMaria BlackGuard PureCrypter BlackNET Raccoon StealthWorker Phonk TyphonStealer Osiris Clipper ServHelper njRAT xoCreatorStealer Colibri CryptOne Neoreklami ZLoader DjvuRansom Erbium Fabookie Taurus PredatorStealer StormKitty JesterStealer WindowsDefenderDisabler WhiteSnake EthereumMiner AgentTesla IcarusHVNC YTStealer DCRAT RedlineClipper TitanStealer GhostRAT MysticStealer Socelars Danabot LucaStealer Gminer EternityStealer DarkTortilla Trickbot Ursnif EvilExtractor ArechClient2 GoClipper MassLogger AZORult VectorStealer |• Collected u|unique 5,422 sa|amples|Col4|Col5| |---|---|---|---|---| |RedlineStealer|SystemBCProxy|Ficker|CinoshiStealer|Cat4er| |Dropper|EternityClipper|TeamSpy|PovertyStealer|ImBetter| |Vidar|ClipBanker|Kronos|Kraken|r77Rootkit| |XMRig|ManusCrypt|QuasarRAT|Kpot|ObserverStealer| |Amadey|Async_RAT|HVNCRAT|Tinynuke|GurcuStealer| |SmokeLoader|AuroraStealer|AlphaIRCBot|BanditStealer|ArrowRAT| |RhadamanthysStealer|zgRAT|Keylogger|ParallaxRAT|LockBit| |Downloader|EternityWorm|Stealc|Solarmarker|LolMiner| |Remcos|PandoraHVNC|XWorm|XFilesStealer|Erica| |CoinMiner|AveMaria|BlackGuard|PureCrypter|BlackNET| |Raccoon|StealthWorker|Phonk|TyphonStealer|Osiris| |Clipper|ServHelper|njRAT|xoCreatorStealer|Colibri| |CryptOne|Neoreklami|ZLoader|DjvuRansom|Erbium| |Fabookie|Taurus|PredatorStealer|StormKitty|JesterStealer| |WindowsDefenderDisabler|WhiteSnake|EthereumMiner|AgentTesla|IcarusHVNC| |YTStealer|DCRAT|RedlineClipper|TitanStealer|GhostRAT| |MysticStealer|Socelars|Danabot|LucaStealer|Gminer| |EternityStealer|DarkTortilla|Trickbot|Ursnif|EvilExtractor| ----- ### The Number of Additional Payloads per Year ##### • The number of additional payloads via Amadey is increasing ----- ### Top 10 Malware ##### • Redline was spread as an additional payload ###### • Almost 2.5x more than anything else ##### • Dropper contained several families • Info-stealer was spread frequently ###### The count is daily unique cumulated number ----- ### Top 10 Malware Monthly Trend ----- ### Odd Situation in 2019 ##### • Spread installer program of AVG via Amadey ###### • 2019/Oct/27 – 2019/Nov/23 ##### • Did the attacker check Amadey’s loader function? ###### • We did not see any malicious additional payloads from the C2 server ----- ### Odd Situation in 2020 ##### • Found 3 URLs: NSA, FBI and CIA on 2020/Feb/27 • Due to inappropriate configuration? ----- ### Amadey Spreads Some Payloads at Once ##### • 6ac2… : Dropper ###### • The dropper contained Redline Stealer and Mystic Stealer ##### • 858d … : Mystic Stealer • 6131 … : SmokeLoader ###### • It downloaded Redline Stealer and Mystic Stealer ----- ### Amadey C2 Server’s Location ##### • The most used C2 server location was Russia ----- ### Amadey C2 Server’s Time-to-Live ##### • 38 C2 servers were active for more than 90 days ###### • 3 C2 servers were active for more than a year • Around 90% C2 servers were active for less than 90 days or equal ----- ## Domain Names to Save Additional Payload ##### • Attackers tend to use legitimate services ###### • Simple URL / Domain filtering won’t be effective ----- ## Correlation between Amadey and Redline ##### • Investigated their additional payload spread campaigns ###### • I did a similar research for Redline [DFRWS APAC 2023, Kasuya] ##### • Extracted samples with same hash value, same URL and same day between the two families ----- ### Malware Spread Campaign of Amadey / Redline ###### • Amadey C2: 45[.]15[.]156[.]208 hXXp://194[.]180[.]49[.]153/udp/rdpcllp[.]exe • Redline C2: dmg[.]allwesoft [.]com hXXp://194[ ]180[ ]49[ ]153/udp/taskmask[ ]exe ----- ### Malware Spread Campaign of Amadey / Redline ##### • C2 / Duration ###### • Amadey C2 • 45_15_156_208 • Redline C2 ###### hXXp://165[.]232[.]162[.]31/udp/mntaskost[.]exe hXXp://165[.]232[.]162[.]31/udp/cltaskost[.]exe hXXp://165[.]232[.]162[.]31/udp/mtaskhost[.]exe hXXp://165[.]232[.]162[.]31/udp/cltaskhost[.]exe hXXp://165[.]232[.]162[.]31/udp/rdpcllp[.]exe hXXp://194[.]180[.]49[.]153/udp/rdpcllp[.]exe hXXp://194[.]180[.]49[.]153/udp/taskmask[.]exe ###### • dmg_allwesoft_com:11615, 5_209_3_10:11615, oodlogs_neverever_ug:11615 • 2023/06/11, 2023/06/14 - 2023/06/29, 2023/07/26 - 2023/07/31, 2023/08/11 - 2023/08/13 ##### • They spread Redline, XMRig, LaplasClipper at the same time ----- ### Malware Spread Campaign of Amadey / Redline ###### • Attacker can spread malware with different bot network • Amadey • Late in October 2021, early in November 2021 • CoinMiner • Middle – late in January 2022, early February 2022, early March 2022 • Amadey, CoinMiner and DarkTerritoryClipper • Middle - late Feburary 2022, April 2022, Middle in May • LaplasClipper • Late in July 2023 ----- ## Lessons Learned ##### • New malware family can be a major threat a few years later • One malware infection brings other malware infections ###### • Prevention-first approach is important to mitigate security risk ##### • Attackers hosts malware on legitimate services ###### • Simple URL / Domain filtering won’t be effective ----- ## Conclusion ##### • Implemented Amadey emulator ###### • Contributed to understand long-term additional payload trend ##### • Amadey became a major threat since 2021 ###### • Spread a variety of malware families • Hosted additional payloads on legitimate services ##### • Shared lessons learned with computer security community ----- ## Thank You -----