#amadey — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #amadey, aggregated by home.social.
-
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️
🖱️ClickFix -> 📃VBS -> ⚙️MSI
Payload delivery host:
🌐 https://urlhaus.abuse.ch/host/103.27.157.60/Malware sample 🤖:
https://bazaar.abuse.ch/sample/4d8e5e890e8be3a1d3529edd384517f99ec1b05bbed7edb38da936d7b3d7749b/Botnet C2 domains:
📡 w2li .xyz
📡 w2socks .xyzThe same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ https://urlhaus.abuse.ch/url/3733103/ -
We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task -
Potential new stealer dropped by #Amadey, caught by @bitsight 🤖🔍Who can name it? ⤵️
👉 https://hunting.abuse.ch/hunt/6919ec1c9750e/185.100.157.69/#sandnet
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lolBotnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)Malware sample:
📄 https://bazaar.abuse.ch/sample/903cdf6c4bef90c7bcdacd909cc7e9c2be528a4de785f0aa2c19c6a1e4166a53/Dropped by Amadey via:
🌐 https://urlhaus.abuse.ch/host/arabianairlanes.lol/ -
We encountered a new loader advertised as "Morpheus" in underground forums 🕵️, recently dropped by #Amadey ⬇️🪲. Morpheus' C2 protocol is based on HTTP and working with tasks, where each task consists of an ID and a command 📣
Botnet C2: sophos-upd-srv .info 🇳🇱
The #malware accepts two command line parameters:
➡️ log: Path where debug logs are stored
➡️ update-url: URL used by the self-update process#Morpheus has the following capabilities 💡:
1️⃣ Persistence through the Windows registry. It copies itself to the AppData Roaming directory under "SysSvc64.exe" and creates a new registry Run key that points to its location.
2️⃣ A host-based ID generated by collecting the current time, hostname and the MAC address of the compromised host.
3️⃣ Collects system information of the compromised host and sends them to a botnet C2, both, in the form of "HeartBeat" but also as Task command
4️⃣ A self update mechanism, where it will download a new version of itself, write it to disk with a ".tmp" suffix and immediately execute it. The current running instance will then exit.
5️⃣ Execution of various actions based on the commands received from the #botnet C2The commands received from the botnet C2 come as a JSON object with two properties: "id" and "command". The following command-values are supported:
ℹ️ sysinfo: Collects the following information from the compromised host:
- Installed AV
- CPU (number of cores, architecture)
- Available Hard Disk (name, free space, total space)
- Domain (is domain joined, domain name)
- Available Memory (free, total)
- Network ( addresses, MAC, name)
- Processes (name, PID)
- Installed Apps
💥 selfdestruct: Deletes the Registry Run key and the executable from the disk running the command "/C ping 127.0.0.1 -n 3 > nul & del /f /q {sample_path}" -
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma
-
Good day everyone!
Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.
Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.
As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprruIntel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Good day everyone!
Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.
Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.
As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprruIntel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Good day everyone!
Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.
Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.
As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprruIntel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Good day everyone!
Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.
Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.
As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprruIntel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Good day everyone!
Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.
Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.
As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprruIntel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Another day, another #Amadey 📅👀 This time dropping #SystemBC ⤵️
Amadey botnet C2:
📡cobolrationumelawrtewarms .com
📡107.189.27.66 (AS14956 ROUTERHOSTING 🇳🇱)Dropping SystemBC from the following URL:
🌐https://urlhaus.abuse.ch/url/3470633/SystemBC payload:
📄https://bazaar.abuse.ch/sample/c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131/SystemBC botnet C2:
📡towerbingobongoboom .com
📡213.209.150.137:4086 (AS42821 RAPIDNET 🇩🇪) -
We have observed #Amadey (botnet ID: 092155) dropping #BumbleBee on an infected device, leveraging a new DGA seed 🔥 It leverages nTLD click and does not only use a new seed (e5774fe6340da26c) but also changed the domain length from 10 to 11 👀
Amadey C2 (AS57678 Cat Technologies 🇭🇰):
👉https://threatfox.abuse.ch/ioc/1437914/Active BumbleBee C2s 🛰️:
109.205.195.228 RockHoster 🇩🇪
194.127.179.88 Clouvider 🇳🇱
84.200.17.29 First Colo 🇩🇪
192.121.22.92 EDIS 🇩🇪
103.214.68.110 ExtraVM 🇳🇱DGA domains:
🌐https://threatfox.abuse.ch/browse/tag/e5774fe6340da26c/BumbleBee malware sample:
📄https://bazaar.abuse.ch/sample/f39ac7d6c65d67bca47b59de81d84920da7ec5d0098712c1c9501e2c7dfe9bf2/ -
This June saw the return of #Vidar, in at #9 with a +2,358% increase in samples shared on abuse.ch's URLhaus. But it's no match for fellow stealers, #StealC and #Amadey, with 2,6,28 and 1,771 samples shared respectively (!) 😲
👉 Read the Malware Digest stats here: https://www.spamhaus.org/malware-digest/#urlhaus
-
@RecklessPush38671 The initial “bearDemm” loader was downloaded by this sample, which is classified by TrendMicro as #Amadey:
83c6f7d8026e3b966329e8c39a2c9e73- hxxp://193.233.132[.]167/lend/laryyyyy.exe
These additional sandbox executions confirms this behavior:
https://www.hybrid-analysis.com/sample/d963392aa3f2cfe80e55734fdb2e7db55b99309935031e6c7a034cca62ffd3c9/65e1981eca97a25aee002718
https://tria.ge/240301-ksr8xseh59/static1The C2 traffic from the downloaded sample looks nothing like Amadey though.
-
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Bitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets.
Pulse ID: 65496ba01d87131cbc5a6484
Pulse Link: https://otx.alienvault.com/pulse/65496ba01d87131cbc5a6484
Pulse Author: AlienVault
Created: 2023-11-06 22:41:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #malware #Socks5Systemz #proxy #Amadey #botnet #AlienVault
-
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
-
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
-
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
-
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
-
"🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"
The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.
We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.
BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗
Source: BitSight Blog
Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍
-
I just caught a live instance of #amadey #malware on a customer network using @zeek and this package I wrote:
https://github.com/keithjjones/zeek-amadey-detector
-
#WormsWeeklyIoC have been released. This week features #RecordBreaker/#racconv2, #Amadey #Botnet, and a rework of my #Rhadamanthys #Stealer #IoC gathering.
Find all indicators here:
https://github.com/Gi7w0rm/MalwareConfigLists/tree/mainThe proudest release this week is 85 new #Rhadamanthys #Stealer #C2s not prior known to #Threatfox.
I invite you all to vet those to make sure my new method of gathering works correctly :)
Together with this week's #Raccoon #IoC, they are all in #OTX as well.https://otx.alienvault.com/user/@Gi7w0rm/pulses
Interesting side note: One of the #IoC for #Rhadamanthys #Stealer is IP: 104.156.149[.]126.
This IP has been attributed as an Indicator of #Sandworm / GRU Unit 74455 by Google:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/Stay safe out there <3
-
#WormsWeeklyIoC have been released. This week features #RecordBreaker/#racconv2, #Amadey #Botnet, and a rework of my #Rhadamanthys #Stealer #IoC gathering.
Find all indicators here:
https://github.com/Gi7w0rm/MalwareConfigLists/tree/mainThe proudest release this week is 85 new #Rhadamanthys #Stealer #C2s not prior known to #Threatfox.
I invite you all to vet those to make sure my new method of gathering works correctly :)
Together with this week's #Raccoon #IoC, they are all in #OTX as well.https://otx.alienvault.com/user/@Gi7w0rm/pulses
Interesting side note: One of the #IoC for #Rhadamanthys #Stealer is IP: 104.156.149[.]126.
This IP has been attributed as an Indicator of #Sandworm / GRU Unit 74455 by Google:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/Stay safe out there <3
-
-
In November, 2022 the most observed payload distributed through malware sites was #Amadey followed by #AgentTesla 🔥
Having a look at unique malware sites reported to URLhaus, we see #Emotet being at the very top of our ranking ⏫
Read more in our monthly malware digest:
👉 https://t.co/4Yg710BJa2