SmokeLoader Infects Targeted Systems With Amadey Info-Stealing Malware


An information-stealing malware called Amadey is distributed through another backdoor called SmokeLoader.

The attacks revolve around tricking users into downloading SmokeLoader masquerading as software cracks, paving the way for Amadey’s deployment, researchers at the AhnLab Security Emergency Response Center (ASEC) said in a report published last week.

Amadeya botnet that appeared for the first time around October 2018 on Russian underground forums for $600, is equipped to transfer credentials, capture screenshots, system metadata, and even information about antivirus engines and additional malware installed on an infected machine.

While an update last July was spotted by Walmart Global Tech Hospitalized functionality for collecting data from Mikrotik routers and Microsoft Outlook, the toolset has since been upgraded to capture information from FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC and WinSCP.

However, its main purpose is to deploy additional remote access plugins and trojans such as: Remcos RAT and RedLine Stealer, allowing the threat actor to further perform a range of post-exploitation activities.

Users are advised to upgrade their devices to the latest operating system and web browser versions to minimize possible infection routes and avoid pirated software.