🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoCategory:Â Malware Intelligence
Type/Family:Â
AV Disabler/Healer
Botnet/Amadey
Stealer/RedLine
Industry:Â Multiple
Region:Â Global
‍
‍
CloudSEK’s threat intelligence team has a Microsoft Defender antivirus (AV) disabler named Healer.exe . The executable was found on Tria.ge, and the tag given by Tria.ge for this executable is Healer.Â
‍
‍
Upon further investigation of the executable. It was found that this executable is a part of an on-going multi-stage Amadey Botnet campaign, that also drops the infamous Redline infostealer on target systems. However, the attack does not begin with this executable.
‍
‍
‍
Stage 1: Dropper no. 1 (.EXE) is deployed on the system, and has two EXEs embedded within itself. Drops the two executables on the system.
Stage 2: Dropper no. 2 (.EXE) serves as a dropper for two more executables; Healer.exe (Microsoft Defender disabler) and RedLine infostealer.
Stage 3: Dropper no. 3 (.EXE) drops the Amadey executable and executes it on the system
‍
It should be noted that there were slight variations seen from campaign to campaign (for eg. one extra dropper being used in one of the stages, or different file dropping order), but the attack flow remains very similar. The example campaign used for technical analysis follows a different order for dropping files.
‍
The campaign starts off with the deployment of dropper no. 1 on the target system. This file is most often a PE32 C++ executable, with the original name WEXTRACT.EXE.MUI. The file description states that this file is a “Win32 Cabinet Self-Extractor”, which indicates that this binary may have embedded binaries within its resources. The copyright also states that this file is owned by Microsoft.
‍
‍
‍
Taking a look at the resources section of this executable confirms our suspicions of embedded binaries. We can see that the binary contains a Cabinet (.CAB) file within the section. The Microsoft Cabinet file format is an archive file format used to store compressed files within itself. We can also see that the .rsrc section occupies 91.41 percent of the file size.
‍
‍
‍
We can see that the Cabinet file contains two executables that are stored within the archive.
‍
‍
‍
We the order of execution of those files by looking at the “RUNPROGRAM” and “POSTRUNPROGRAM” attributes. The executable name specified in “RUNPROGRAM” will be executed first, and after that the executable name specified in “POSTRUNPROGRAM” will be executed.
‍
‍
‍
The executables are dropped in a newly created directory in C:\Users\[Username]\AppData\Local\Temp\ in a similar fashion to that shown below.
‍
‍
‍
Contrary to the diagram shared in Campaign Overview, the files associated with this campaign being used for technical analysis will first be Amadey and Healer.exe using dropper no. 2. The second stage dropper also operates in the same fashion as the first stage dropper, in that it uses a Cabinet to drop its executables.
‍
‍
‍
‍
‍
The executables are dropped in the same path under a different directory. The file executed first (in this case g8262924.exe) is a dropper for Amadey, and drops it in a new directory stored in the path C:\Users\[Username]\AppData\Temp\. Healer.exe is executed after Amadey.
‍
‍
‍
Amadey is a botnet family that allows a threat actor to gain full access to a target system. Amadey has its own C2 panel, in-built Infostealer module, and cryptocurrency transaction interceptor module. The executable comes in the form of a PE32 C++ binary.
‍
Upon execution, there is a long process chain formed. Essentially, Amadey starts off by:
‍
Them, Amadey initiates a connection with the C2 server by sending out an HTTP POST request. This request contains information about the current target. Information such as Amadey Bot identification details, target PC and OS information, target username, etc.
‍
‍
‍
After a connection with the C2 server has been successfully made, Amadey fetches two malicious DLLs from the C2 server, namely cred64.dll and clip64.dll. It does this by initiating an HTTP GET request.
‍
‍
‍
Cred64.dll, the in-built infostealer module, will attempt to steal saved credentials from browsers and information from cryptocurrency wallets. Some of the target applications include Google Chrome, Microsoft Edge, Opera, Electrum, Monero and Litecoin. Data is exfiltrated using HTTP POST requests.
‍
Clip64.dll, the module responsible for intercepting cryptocurrency transactions, steals cryptocurrency from its victims by replacing the intended recipient wallet address with the threat actor’s wallet address. It does this by replacing anything stored in the clipboard with that wallet address.
‍
Amadey has also been seen to be used as a Malware downloader. Threat actors are known to deploy many popular Infostealer families such as Vidar and Redline, along with other type of Malware using Amadey.
‍
Post the execution of Amadey in this campaign, the second binary (in this case, h6920491.exe) is executed on the system. The file is a PE32 .NET Assembly, which is of the original name Healer.exe with description Healer.
‍
‍
‍
By making changes to registry entries, this disabler permanently disables Microsoft Defender and its Anti-Spyware measures, along with disabling Windows automatic updates, so that the target does not get latest security patches, and does not restart unexpectedly.
‍
‍
‍
‍
‍
In most instances of this campaign observed, Healer.exe is executed before the deployment of Amadey/Redline. This also makes sense logically, since the threat actor would want to disable security measures in order to ensure flawless deployment and execution of the further stages.Â
The fact that in this case, Healer is deployed after Amadey leads us to believe that this may be an error made by the threat actor associated with this specific campaign.
‍
Lastly, the second file dropped by the first stage dropper (in this case, j3096141.exe) is executed. This is a variant of the Redline Infostealer. It comes in the form of a PE32 .NET assembly, and has the capability of saving saved credentials, cookies, and other information from multiple popular browsers and cryptocurrency wallets.Â
‍
You can read more about the Redline Infostealer in our technical analysis report here.
‍
‍
‍
‍
‍
‍
‍
CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)
CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
9
min read
Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.
Category:Â Malware Intelligence
Type/Family:Â
AV Disabler/Healer
Botnet/Amadey
Stealer/RedLine
Industry:Â Multiple
Region:Â Global
‍
‍
CloudSEK’s threat intelligence team has a Microsoft Defender antivirus (AV) disabler named Healer.exe . The executable was found on Tria.ge, and the tag given by Tria.ge for this executable is Healer.Â
‍
‍
Upon further investigation of the executable. It was found that this executable is a part of an on-going multi-stage Amadey Botnet campaign, that also drops the infamous Redline infostealer on target systems. However, the attack does not begin with this executable.
‍
‍
‍
Stage 1: Dropper no. 1 (.EXE) is deployed on the system, and has two EXEs embedded within itself. Drops the two executables on the system.
Stage 2: Dropper no. 2 (.EXE) serves as a dropper for two more executables; Healer.exe (Microsoft Defender disabler) and RedLine infostealer.
Stage 3: Dropper no. 3 (.EXE) drops the Amadey executable and executes it on the system
‍
It should be noted that there were slight variations seen from campaign to campaign (for eg. one extra dropper being used in one of the stages, or different file dropping order), but the attack flow remains very similar. The example campaign used for technical analysis follows a different order for dropping files.
‍
The campaign starts off with the deployment of dropper no. 1 on the target system. This file is most often a PE32 C++ executable, with the original name WEXTRACT.EXE.MUI. The file description states that this file is a “Win32 Cabinet Self-Extractor”, which indicates that this binary may have embedded binaries within its resources. The copyright also states that this file is owned by Microsoft.
‍
‍
‍
Taking a look at the resources section of this executable confirms our suspicions of embedded binaries. We can see that the binary contains a Cabinet (.CAB) file within the section. The Microsoft Cabinet file format is an archive file format used to store compressed files within itself. We can also see that the .rsrc section occupies 91.41 percent of the file size.
‍
‍
‍
We can see that the Cabinet file contains two executables that are stored within the archive.
‍
‍
‍
We the order of execution of those files by looking at the “RUNPROGRAM” and “POSTRUNPROGRAM” attributes. The executable name specified in “RUNPROGRAM” will be executed first, and after that the executable name specified in “POSTRUNPROGRAM” will be executed.
‍
‍
‍
The executables are dropped in a newly created directory in C:\Users\[Username]\AppData\Local\Temp\ in a similar fashion to that shown below.
‍
‍
‍
Contrary to the diagram shared in Campaign Overview, the files associated with this campaign being used for technical analysis will first be Amadey and Healer.exe using dropper no. 2. The second stage dropper also operates in the same fashion as the first stage dropper, in that it uses a Cabinet to drop its executables.
‍
‍
‍
‍
‍
The executables are dropped in the same path under a different directory. The file executed first (in this case g8262924.exe) is a dropper for Amadey, and drops it in a new directory stored in the path C:\Users\[Username]\AppData\Temp\. Healer.exe is executed after Amadey.
‍
‍
‍
Amadey is a botnet family that allows a threat actor to gain full access to a target system. Amadey has its own C2 panel, in-built Infostealer module, and cryptocurrency transaction interceptor module. The executable comes in the form of a PE32 C++ binary.
‍
Upon execution, there is a long process chain formed. Essentially, Amadey starts off by:
‍
Them, Amadey initiates a connection with the C2 server by sending out an HTTP POST request. This request contains information about the current target. Information such as Amadey Bot identification details, target PC and OS information, target username, etc.
‍
‍
‍
After a connection with the C2 server has been successfully made, Amadey fetches two malicious DLLs from the C2 server, namely cred64.dll and clip64.dll. It does this by initiating an HTTP GET request.
‍
‍
‍
Cred64.dll, the in-built infostealer module, will attempt to steal saved credentials from browsers and information from cryptocurrency wallets. Some of the target applications include Google Chrome, Microsoft Edge, Opera, Electrum, Monero and Litecoin. Data is exfiltrated using HTTP POST requests.
‍
Clip64.dll, the module responsible for intercepting cryptocurrency transactions, steals cryptocurrency from its victims by replacing the intended recipient wallet address with the threat actor’s wallet address. It does this by replacing anything stored in the clipboard with that wallet address.
‍
Amadey has also been seen to be used as a Malware downloader. Threat actors are known to deploy many popular Infostealer families such as Vidar and Redline, along with other type of Malware using Amadey.
‍
Post the execution of Amadey in this campaign, the second binary (in this case, h6920491.exe) is executed on the system. The file is a PE32 .NET Assembly, which is of the original name Healer.exe with description Healer.
‍
‍
‍
By making changes to registry entries, this disabler permanently disables Microsoft Defender and its Anti-Spyware measures, along with disabling Windows automatic updates, so that the target does not get latest security patches, and does not restart unexpectedly.
‍
‍
‍
‍
‍
In most instances of this campaign observed, Healer.exe is executed before the deployment of Amadey/Redline. This also makes sense logically, since the threat actor would want to disable security measures in order to ensure flawless deployment and execution of the further stages.Â
The fact that in this case, Healer is deployed after Amadey leads us to believe that this may be an error made by the threat actor associated with this specific campaign.
‍
Lastly, the second file dropped by the first stage dropper (in this case, j3096141.exe) is executed. This is a variant of the Redline Infostealer. It comes in the form of a PE32 .NET assembly, and has the capability of saving saved credentials, cookies, and other information from multiple popular browsers and cryptocurrency wallets.Â
‍
You can read more about the Redline Infostealer in our technical analysis report here.
‍
‍
‍
‍
‍
‍
‍