Phishing emails that install the Amadey Bot are being used by a LockBit 3.0 ransomware affiliate to control targets and encrypt devices. A recent AhnLab report claims that the threat actor targets businesses via phishing emails that contain lures disguised as job application offers or notifications of copyright infringement.
The attack’s LockBit 3.0 payload is downloaded as a PowerShell script or executable file that runs on the host computer and encrypts data. An outdated strain of malware called Amadey Bot is capable of system reconnaissance, data exfiltration, and payload loading. Amadey Bot activity has surged in 2022, according to Korean researchers at AhnLab, who also discovered a new variant of the virus in July that was distributed using SmokeLoader.
The most recent version improved antivirus detection and auto-avoidance features, making incursions and payload drop more covert. The more recent attack packs a LockBit 3.0 payload in place of the information-stealing malware that Amadey delivered in the July campaign, such as RedLine. The malicious program was disguised as a Word file in one distribution chain, which AhnLab researchers identified, and used a VBA macro in another.
In the first instance, in order to run the macro that produces an LNK file and saves it to “C:\Users\Public\skem.lnk,” the user must click the “Enable Content” button. This file serves as Amadey’s downloader. In the second instance, which was seen in late October, email attachments containing the file “Resume.exe” (Amadey) deceive recipients into double-clicking. It is fair to presume that the operator is the same since both distribution routes result in Amadey infections that use the same command and control (C2) address.
The malware transfers itself to the TEMP directory when it initially starts and sets up a scheduled activity to maintain persistence across system reboots. Amadey then establishes a connection with the C2, provides a host profile report, and waits for orders to be received. The C2 server’s three available commands specify whether LockBit should be downloaded and executed in PowerShell (as in “cc.ps1” or “dd.ps1”) or as an executable file (as in “LBB.exe”).
In TEMP, the payloads are once more dropped as one of the following three:
- %TEMP%\1000018041\dd.ps1
- %TEMP%\1000019041\cc.ps1
- %TEMP%\1000020001\LBB.exe
LockBit then encrypts the user’s data, creates ransom letters that demand money, and threatens to post stolen material on the group’s extortion website unless paid. In September 2022, AnhLab discovered two more ways to distribute LockBit 3.0, one by dropping ZIP files containing the malware in NSIS format and the other by employing DOTM documents with malicious VBA macros. It all seems to be an extension of the same effort as LockBit 2.0 was previously detected being disseminated using fraudulent copyright infringement emails, dropping NSIS installers in June 2022.
