Threat Research

Nitol DDoS Malware Installing Amadey Bot – ASEC BLOG

Securonix

ASEC researchers report that the Nitol DDoS Bot is used to install Amadey Bot, a downloader that drops additional malware. Amadey has resurfaced in cracks, keygens, and spam campaigns and was linked to LockBit 3.0 attacks targeting Korean corporate users. #Nitol #Amadey

Keypoints

  • Nitol DDoS Bot is being used to install Amadey Bot across infected systems.
  • Amadey is distributed via torrent-based cracks/keygens and spam attachments, including campaigns tied to LockBit 3.0 against Korean firms.
  • Nitol is packed with Themida to hinder analysis, includes anti-virtualization/sandbox checks, and generates dummy network packets to impede analysis.
  • Nitol persists by copying itself to AppData and registering a Run key for startup, enabling continued execution after reboot.
  • C2 communications enable commands for DDoS, downloading/updating payloads, and even destructive actions like MBR modification.
  • Amadey, once installed by Nitol, pulls in additional payloads (Amadey Bot, Nitol Type A/B, Downloader) and disguises itself as legitimate programs like TeamViewer or Explorer.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The Nitol was packed with Themida to hinder analysis. ‘Nitol was packed with Themida to hinder analysis.’
  • [T1497] Virtualization/Sandbox Evasion – The virtual environment check uses the IN command to check whether it is running on a VMware virtual machine. ‘The virtual environment check uses the IN command to check whether it is running on a VMware virtual machine.’
  • [T1060] Registry Run Keys/Startup Folder – It uses reg.exe to register itself to the Run key for persistence. ‘C:WindowsSystem32reg.exe ADD “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /V “My App” /t REG_SZ /F /D “C:UsersvmuserAppDataRoaminggkqske.exe”’
  • [T1105] Ingress Tool Transfer – Downloads and runs payloads (SW_HIDE) and downloads additional payloads. ‘Download and run payload (SW_HIDE)’
  • [T1036] Masquerading – Malware mimics original programs, with names such as TeamViewer, Explorer, and AnyDesk. ‘The malware mimic original programs, with names such as TeamViewer, Explorer, and AnyDesk.’
  • [T1041] Exfiltration Over C2 Channel – Amadey transmits basic information about the infected system and, besides credentials, takes and sends screenshots to the C&C server. ‘Besides account credentials, Amadey also takes periodic screenshots and sends them to the C&C server.’
  • [T1499] Endpoint Denial of Service – DDoS commands are issued by the C2 (e.g., DDoS Attack #1). ‘DDoS Attack #1’

Indicators of Compromise

  • [IP Address] Network address used by C2 – 45.89.255[.]250:50505, 45.89.255[.]250:40404
  • [Domain/URL] C2 domains and download URLs – rlarnjsdud0502.kro.kr:2222, hxxp://AQWe9sfiWSwPyVMJ[.]xyz/jg94cVd30f/index.php, hxxp://PMVqdJfUf3WlX9kI[.]xyz/jg94cVd30f/index.php, hxxp://SmgqNt3EIxXkSAsU[.]xyz/jg94cVd30f/index.php
  • [Domain/URL] Additional download pages – hxxp://45.89.255[.]250:8080/TeamViewer_Desktop.exe, hxxp://45.89.255[.]250:8080/explorer.exe, hxxp://45.89.255[.]250:8080/TeamViewerSetupx64.exe
  • [Domain/URL] Other download paths – hxxp://45.89.255[.]250:8080/ServiceManager.exe, hxxp://45.89.255[.]250:8080/Kwvwz.png
  • [MD5] File hashes of observed malware components – 3038c7bb0f593df3f52f0644c894c7ba, d332cf184ac8335d2c3581a48ee0ad87
  • [File name] Disguised payload names – TeamViewerSetupx64.exe, TeamViewer_Desktop.exe, explorer.exe, ServiceManager.exe

Read more: https://asec.ahnlab.com/en/44504/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint