Category: Malware Intelligence
- New Healer AV disabler being utilized by Amadey botnet in order to disable Microsoft Defender.
- Redline stealer dropped on target systems.
- Target systems infected with Amadey botnet.
- Microsoft Defender is permanently disabled on target.
- Microsoft Auto-Update is disabled, restricting targets to get latest security patches.
- Redline infostealer deployed to steal sensitive information.
- Threat actors gain full control of target systems using Amadey bot.
- Keep assets updated with the latest Microsoft security patch.
- Use strong anti-malware software and practices.
Analysis and Campaign Overview
CloudSEK’s threat intelligence team has a Microsoft Defender antivirus (AV) disabler named Healer.exe . The executable was found on Tria.ge, and the tag given by Tria.ge for this executable is Healer.
Upon further investigation of the executable. It was found that this executable is a part of an on-going multi-stage Amadey Botnet campaign, that also drops the infamous Redline infostealer on target systems. However, the attack does not begin with this executable.
Stage 1: Dropper no. 1 (.EXE) is deployed on the system, and has two EXEs embedded within itself. Drops the two executables on the system.
Stage 2: Dropper no. 2 (.EXE) serves as a dropper for two more executables; Healer.exe (Microsoft Defender disabler) and RedLine infostealer.
Stage 3: Dropper no. 3 (.EXE) drops the Amadey executable and executes it on the system
It should be noted that there were slight variations seen from campaign to campaign (for eg. one extra dropper being used in one of the stages, or different file dropping order), but the attack flow remains very similar. The example campaign used for technical analysis follows a different order for dropping files.
Stage 1 - Dropper no. 1 (Drops Second Stage Dropper)
The campaign starts off with the deployment of dropper no. 1 on the target system. This file is most often a PE32 C++ executable, with the original name WEXTRACT.EXE.MUI. The file description states that this file is a “Win32 Cabinet Self-Extractor”, which indicates that this binary may have embedded binaries within its resources. The copyright also states that this file is owned by Microsoft.
Taking a look at the resources section of this executable confirms our suspicions of embedded binaries. We can see that the binary contains a Cabinet (.CAB) file within the section. The Microsoft Cabinet file format is an archive file format used to store compressed files within itself. We can also see that the .rsrc section occupies 91.41 percent of the file size.
We can see that the Cabinet file contains two executables that are stored within the archive.
We the order of execution of those files by looking at the “RUNPROGRAM” and “POSTRUNPROGRAM” attributes. The executable name specified in “RUNPROGRAM” will be executed first, and after that the executable name specified in “POSTRUNPROGRAM” will be executed.
The executables are dropped in a newly created directory in C:\Users\[Username]\AppData\Local\Temp\ in a similar fashion to that shown below.
Stage 2 - Dropper no. 2 (Healer and Amadey)
Contrary to the diagram shared in Campaign Overview, the files associated with this campaign being used for technical analysis will first be Amadey and Healer.exe using dropper no. 2. The second stage dropper also operates in the same fashion as the first stage dropper, in that it uses a Cabinet to drop its executables.
The executables are dropped in the same path under a different directory. The file executed first (in this case g8262924.exe) is a dropper for Amadey, and drops it in a new directory stored in the path C:\Users\[Username]\AppData\Temp\. Healer.exe is executed after Amadey.
Amadey is a botnet family that allows a threat actor to gain full access to a target system. Amadey has its own C2 panel, in-built Infostealer module, and cryptocurrency transaction interceptor module. The executable comes in the form of a PE32 C++ binary.
Upon execution, there is a long process chain formed. Essentially, Amadey starts off by:
- Creating a Startup registry entry in order to make it so that Amadey runs every time a user logs on.
- Creating a scheduled task that runs the Amadey binary every minute using the command “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN amadey.exe /TR “C:\Users\[Username]\AppData\Local\Temp\5eb6b96734\amadey.exe” /F.
- Changing the rights for the username “Test”, making it so that the Amadey binary cannot be written to or deleted, but only read. The command used is CACLS ”mnolyk.exe” /P “test:R” /E.
Them, Amadey initiates a connection with the C2 server by sending out an HTTP POST request. This request contains information about the current target. Information such as Amadey Bot identification details, target PC and OS information, target username, etc.
After a connection with the C2 server has been successfully made, Amadey fetches two malicious DLLs from the C2 server, namely cred64.dll and clip64.dll. It does this by initiating an HTTP GET request.
Cred64.dll, the in-built infostealer module, will attempt to steal saved credentials from browsers and information from cryptocurrency wallets. Some of the target applications include Google Chrome, Microsoft Edge, Opera, Electrum, Monero and Litecoin. Data is exfiltrated using HTTP POST requests.
Clip64.dll, the module responsible for intercepting cryptocurrency transactions, steals cryptocurrency from its victims by replacing the intended recipient wallet address with the threat actor’s wallet address. It does this by replacing anything stored in the clipboard with that wallet address.
Amadey has also been seen to be used as a Malware downloader. Threat actors are known to deploy many popular Infostealer families such as Vidar and Redline, along with other type of Malware using Amadey.
Healer.exe (Microsoft Defender disabler)
Post the execution of Amadey in this campaign, the second binary (in this case, h6920491.exe) is executed on the system. The file is a PE32 .NET Assembly, which is of the original name Healer.exe with description Healer.
By making changes to registry entries, this disabler permanently disables Microsoft Defender and its Anti-Spyware measures, along with disabling Windows automatic updates, so that the target does not get latest security patches, and does not restart unexpectedly.
Important Registry Changes
In most instances of this campaign observed, Healer.exe is executed before the deployment of Amadey/Redline. This also makes sense logically, since the threat actor would want to disable security measures in order to ensure flawless deployment and execution of the further stages.
The fact that in this case, Healer is deployed after Amadey leads us to believe that this may be an error made by the threat actor associated with this specific campaign.
Stage 3 - Dropper no. 1 (Drops Redline)
Lastly, the second file dropped by the first stage dropper (in this case, j3096141.exe) is executed. This is a variant of the Redline Infostealer. It comes in the form of a PE32 .NET assembly, and has the capability of saving saved credentials, cookies, and other information from multiple popular browsers and cryptocurrency wallets.
You can read more about the Redline Infostealer in our technical analysis report here.
Indicators of Compromise (IoCs)