# Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites **[thecyberexpress.com/amadey-botnet-back-via-phishing-sites/](https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/)** An old botnet called Amadey that was discovered in 2018 has been found to be actively used [to attack systems. Researchers at the Cyble Research and Intelligence Labs (CRIL) found](https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/) gamers being victimized by phishing websites under the guise of offering gaming hacks and cheats. This info-stealing trojan can copy login details from several browsers and has been found to have infected devices in attacks launched by the LockBit ransomware group in 2022. The increase in its use was observed in the last 3 months of 2022. ## You might also like Government Regulation of AI businesses: UK Competition Watchdog Launches Review Password is Passé: Google Introduces Passkey Login ----- ## Researchers Find New KEKW Malware Variant in PyPI Packages The increased use of the Amadey bot (Image: Cyble) It can work on [browsers including Chrome, Chedot, Microsoft Edge, CentBrowser,](https://thecyberexpress.com/google-chrome-the-most-vulnerable-browser-with-303-reported-vulnerabilities/) [SputnikLab, and Opera Software among others. It also impacts cryptocurrencies including](https://thecyberexpress.com/cryptocurrency-scam-estonian-arrested/) Bitcoin, Monero, Ethereum, and Litecoin. ## Attack vector using the Amadey bot [Cybercriminals are using fraudulent websites with malicious links camouflaged as cheats for](https://thecyberexpress.com/fraudulent-cybersecurity-certifications-sale/) the multiplayer shooting video game Valorant. It [asks users to download a .rar file from](https://thecyberexpress.com/plex-data-breach/) hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar which starts the attack with capabilities including system reconnaissance, changing permissions, changing [crypto transaction recipients, and adding more malware. The .rar file has a Seil.exe file that](https://thecyberexpress.com/new-crypto-mining-campaigns-target-linux-users/) infects the system with the Amadey bot. ----- Sample of a fraudulent gaming website used to infect devices (Image: Cyble) The above image offers several cheats however, misspells the word ‘powerful’ as powerfil [which acts as a reminder that often fraudulent websites and phishing emails are not](https://thecyberexpress.com/phishing-chatgpt-how-to-spot-malicious-emails/) proofread. Amadey bot downloads other malware families including Redline and Manuscript. Technical details of the Amadey bot attack [CRIL researchers examined a found sample hash (SHA256),](https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/) b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65, a 32-bit VC++ compiled executable file and made the following observations: The Amadey bot creates a duplicate of itself and saves it in the %Temp% folder. It then gets executed using the ShellExecuteA() API. Following this, it creates a mutex to make sure only one instance of the bot is running in the [system at one point. The mutex name was](https://thecyberexpress.com/softline-acquires-value-point-systems/) c1ec479e5342a25940592acf24703eb2 It maintains persistence using the startup value in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders registry key. With this, the [malware executes every minute because it](https://thecyberexpress.com/hackers-android-stealer-source-code-on-sale/) gets configured in the Task Scheduler. ----- At this stage, [the bot collects the machine s username and changes the permissions](https://thecyberexpress.com/ransomware-attack-ion-group-cybercrime/) granted to the file nbveek.exe and folder 4b9a106e76. It gets the permission to read, write, and execute files using the command: /k echo Y|CACLS “nbveek.exe” /P “User _Name:N”&&CACLS “nbveek.exe” /P “User Name:R” /E&&echo Y|CACLS_ _“..\4b9a106e76” /P “User Name:N”&&CACLS “..\4b9a106e76” /P “User Name:R”_ _/E&&Exit_ Now information collection begins which is sent to the cybercriminal’s command and control (C&C) server using a POST request with specific field names. It includes id for collecting the victim’s ID, vs for the version number of the bot, ar for the admin privilege status, etc. Two DLL files – cred64.dll and clip64.dll are downloaded and saved in %appdata%. [These modules that steal credentials are executed using rundll32.exe. Cred64.dll is a](https://thecyberexpress.com/todo-day-manager-app-steals-banking-credentials-using-xenomorph-trojan/) [64-bit Microsoft Visual C/C++ DLL executable and is programmed to steal browser data](https://thecyberexpress.com/pypi-packages-steal-data-roblox-discord/) and setting details. It further steals the crypto wallet data from the directories including _%appdata%\Armory\. It was found to be capable of terminating the crypto wallet client_ [process if it was denied access to sensitive data. The copied data was sent to](https://thecyberexpress.com/aepic-leak-architectural-bug-intel-cpus/) _hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php_ dll was a 32-bit VC++ compiled DLL file. It was a clipper module stealing [cryptocurrency transaction data from the clipboard. It would replace the recipient’s](https://thecyberexpress.com/lummac2-stealer-browsers-crypto-wallet-data/) wallet address from it to itself so the amount reaches them instead of the intended account. Amadey bot changing the clipboard data impacting the cryptocurrency transaction (Image: Cyble) ----- Amadey is being sold for about $500 on Russian-speaking hacker forums according to a [report by malpedia. Amadey uses an infected system as a botnet and can launch a](https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey) [distributed denial of service attack on other systems.](https://www.infoblox.com/wp-content/uploads/threat-intelligence-report-amadey-trojan-and-botnet.pdf) Tags: [Amadey botnetCRIL amadey botcryptocurrency name changing botgame cheat botThe](https://thecyberexpress.com/tag/amadey-botnet/) [Cyber ExpressThe Cyber Express News](https://thecyberexpress.com/tag/the-cyber-express-news/) © 2022 [The Cyber Express (Cyber Security News and Magazine) | By](https://thecyberexpress.com/) [Cyble Inc.](https://cyble.com/) -----