Amadey Bot Malware Distributed via SmokeLoader using Software Cracking Software

A malware distribution campaign has been detected by researchers at AhnLab that ultimately delivers Amadey Bot malware. Amadey Bot malware can steal information from infected systems, perform reconnaissance, and drop additional malware payloads on infected devices.

Amadey Bot malware is a relatively old malware, first identified four years ago. The latest campaign delivers a new version of the malware via SmokeLoader malware. SmokeLoader is a commonly used malware loader that, if allowed to run, will inject the Main Bot into the Explorer.exe process to ensure it is trusted by the operating system and will then download Amadey Bot malware. Amadey Bot will create a copy of itself in a temporary folder under the name bguuwe.exe and will maintain persistence by creating a scheduled task.

Reconnaissance is performed and a connection is made to the command-and-control (C2) server, and information about the system is sent to the server, including a list of all installed antivirus solutions. The version analyzed by the researchers can discover 14 different antivirus products and is believed to be able to deliver payloads that will not be detected by those solutions.

Amadey Bot malware can steal data from Outlook, FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, WinSCP, and Mikrotik Router Management Program Winbox; however, the malware has been observed delivering other malicious payloads, including RedLine malware, which will further increase the capabilities of the threat actor.

Amadey Bot malware has previously been distributed using the Rig and Fallout exploit kits; however, this campaign uses software cracks and keygens to install SmokeLoader. These programs are voluntarily downloaded and executed by users, and while these software solutions may work, they will silently install malware when executed.

The easiest way to prevent infection with Amadey Bot malware is not to download product activators, keygens, and other software cracking tools. Businesses should consider blocking access to the websites where these software cracking tools are available using a category-based web filter, and should consider using a web filter to block the downloading of executable files from the Internet.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of