Cyble – The Rise Of Amadey Bot: A Growing Concern For Internet Security

MITRE Techniques

• [T1566.001] Phishing – The article notes the Amadey bot is spreading through phishing sites; quote: ‘phishing sites’ used for spreading the Amadey bot.
  “phishing sites, in addition to its usual method of being downloaded by the smoke loader through spam emails.”
• [T1204] User Execution – Users are shown the phishing site and must click a download button; quote: ‘when they click the download button.’
• [T1055] Process Injection – The loader loads the Amadey bot into the running process; quote: ‘loads another DLL module’ and ‘executed using the ShellExecuteA() API.’
• [T1218] Signed Binary Proxy Execution – Execution path via Windows API (Rundll32) as described in the article’s broader MITRE mapping; quote: ‘Rundll32’ usage implied in the technique table.
• [T1106] Native API – The malware uses native Windows API calls (e.g., ShellExecuteA) to run dropped components; quote: ‘uses the ShellExecuteA() API.’
• [T1547] Registry Run Keys / Startup Folder – Persistence via a startup registry value; quote: ‘persistence by adding a “startup” value in the below registry key.’
• [T1053] Scheduled Task/Job – Persistence via Task Scheduler configured to run every minute; quote: ‘the Task Scheduler configured by the malware is set to execute the malicious sample every minute.’
• [T1027] Obfuscated/Compressed Files or Information – The DLL Module is protected by multiple layers and decrypted to load Amadey; quote: ‘The DLL Module is protected by multiple layers, which finally loads the Amadey bot.’
• [T1105] Ingress Tool Transfer – The downloader fetches additional payloads from a remote server (e.g., Seil.exe dropping Amadey); quote: ‘The downloaded .rar file contains a file named “Seil.exe” … which is responsible for downloading the Amadey bot from the remote server.’
• [T1059] Command and Scripting Interpreter – ShellExecuteA/command-like execution path used to run dropped modules; quote: ‘executes it using the ShellExecuteA() API.’
• [T1115] Clipboard Data – Clip64.dll intercepts clipboard content to swap crypto addresses; quote: ‘intercepts cryptocurrency transactions by replacing a victim’s intended recipient with the attacker’s wallet address.’
• [T1005] Data from Local System – The malware collects information from the victim’s machine before exfiltration; quote: ‘The POST request contains the following fields with the victim’s sensitive information, such as username, system name, etc.’
• [T1082] System Information Discovery – Data sent includes OS and user information; quote: ‘victim’s sensitive information’ including username and OS
• [T1071] Application Layer Protocol – C2 communication occurs via HTTP POST to the C2 server; quote: ‘POST request contains the following fields…’ and ‘connects to a Command and Control (C&C) server.’