Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution | McAfee Blog
Authored by By Yashvi Shah
McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is part of the Windows operating system, and it is located in the System32 folder of the Windows directory. However, like other executable files, it can be vulnerable to exploitation by malicious actors who might use it as a disguise for malware.
Some common ways that malicious actors use a fake or modified version of wextract.exe include:
- Malware Distribution: Malicious actors can use a fake version of the wextract.exe to deliver malware onto a victim’s computer. They can disguise the malware as a legitimate file and use the fake wextract.exe to extract and execute the malicious code.
- Information stealing: A fake or modified wextract.exe can be used to steal sensitive information from a victim’s computer. Malicious actors can modify the code to include keyloggers or other data-stealing techniques.
- Remote Access: Malicious actors can use a fake wextract.exe to gain remote access to a victim’s computer. They can use the modified wextract.exe to create a backdoor or establish a remote connection to the victim’s computer, allowing them to carry out various malicious activities.
- Ransomware Delivery: Malicious actors can use a fake or modified “wextract.exe” to install ransomware on a victim’s system. For example, they may create a fake Windows Installer package that appears to be a legitimate software update or utility but also includes a modified “wextract.exe” that encrypts the victim’s files and demands a ransom payment for their decryption.
McAfee Labs collected malicious wextract.exe samples from the wild, and its behavior was analyzed.
This blog provides a detailed technical analysis of malicious “wextract.exe” that is used as a delivery mechanism for multiple types of malwares, including Amadey and Redline Stealer. It also provides detailed information on the techniques used by the malware to evade detection by security software and execute its payload. Once the malware payloads are executed on the system, they establish communication with a Command and Control (C2) server controlled by the attacker. This communication allows the attacker to exfiltrate data from the victim’s system, including sensitive information such as login credentials, financial data, and other personal information.
Figure 1: Characteristic of the file
The file is a 32-bit Portable Executable file, which is 631.50 Kb in size. The original name of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The legal copyright mentions Microsoft Corporation. A lot of static strings of this file were found to be written in Russian.
Normally, the resource section (.rsrc) contains resources used by the program, such as icons, bitmaps, strings, and dialog boxes. Attackers leverage the resource section of a PE file to improve the success of their attacks by evading detection, enhancing persistence, and adding functionality.
The resource section of this sample has multiples files, out of which CABINET resource holds 75.75% of the total file, which makes the said resource suspicious.
Figure 2: Resources in the file
A CAB (Cabinet) file is a compressed archive file format that is often used to compress and package multiple files into a single file for distribution or installation. A CAB file in the resource section of a PE file can be used for various purposes such as storing additional program files or data, including language-specific resources, or compressing and storing commonly used resources to reduce the size of the executable.
The CABINET holds two executables, cydn.exe and vona.exe.
Figure 3: CABINET in resource section
Likewise, under RCDATA, there is another attribute called “RUNPROGRAM”, which starts cydn.exe. RUNPROGRAM in the resource section of a malware file typically refers to a resource that contains instructions for the malware to execute a specific program or command. When the malware is executed, it will load the resource containing the “RUNPROGRAM” command and attempt to execute the specified program or command. This technique is often used by malware authors to execute additional malicious programs or commands on the infected system. For example, the “RUNPROGRAM” resource may contains instructions to download and execute additional malware, or to launch a malicious script or command that can perform various malicious activities such as stealing sensitive data, creating backdoors, or disabling security software.
Figure 4: RUNPROGRAM attribute stating “cydn.exe”
Like RUNPROGRAM, POSTRUNPROGRAM also holds the instruction to run the executable after RUNPROGRAM is executed. Hence, once cydn.exe is executed, vona.exe will be executed.
Figure 5: POSTRUNPROGRAM stating “vona.exe”
Once WEXTRACT.exe is executed, both cydn.exe and vona.exe is dropped in the TEMP folder. The TEMP folder is a commonly used location for malware to store temporary files and other data, as it is typically writable by any user account and is not usually subject to strict security restrictions. This can make it easier for the malware to operate without raising suspicion or triggering security alerts.
Figure 6: Files dropped in TEMP folder
Stage 2: Analysis of cydn.exe
The file showed high file ratio of the resource section, with the entropy of 7.810. Entropy is a measure of the randomness or unpredictability of the data in the file. It is often used as an indicator of whether a file is likely to be malicious or not.
In the case of a PE file, high entropy can indicate that the file contains a significant amount of compressed or encrypted data, or that it has been obfuscated or packed in a way that makes it more difficult to analyze. This can be a common technique used by malware authors to evade detection by antivirus software.
Figure 7: File ratio and entropy of the resource section
Like the previous file, cydn.exe also had two executables archived in its resource section, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute commands to run aydx.exe and the “POSTRUNPROGRAM” attribute commands to execute mika.exe once aydx.exe is executed. These files are also dropped in TEMP folder.
Figure 8: aydx.exe and mika.exe packed in resource section
Figure 9: Executables dropped in another TEMP folder
The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been discussed, are followed by aydx.exe, and then by mika.exe and vona.exe.
Figure 10: Execution flow
Stage 3: Analysis of aydx.exe
Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it attempts to make a request to IP address: 193.233.20.7.
Figure 11: Malware trying to connect to IPv4
This IP address is linked with Redline Stealer connecting on port number 4138.
Analysis of mika.exe
Mika.exe is 32-bit Portable Executable, complied in .NET and is just 11 KB in size. The original name of the file is “Healer.exe”. This exe file makes no internet activity but does something in the target machine which assists malwares from further stages to carry out their execution.
The intent of mika.exe is to turn off Windows Defender in all possible ways. Once mika.exe was executed, this is how the Defender settings of the system looked like:
Figure 12: Real-time protection turned off
This setting was irreversible and couldn’t be turned back to on via settings of Windows. Following this, logs from Procmon were analyzed and there were entries regarding Windows defender, such as:
Figure 13: Procmon logs
To validate this, Registry was analysed and all the changes were found there. The changes in Registry were found to be in exact order as of Procmon logs. In Windows, the registry is a hierarchical database that stores configuration settings and options for the operating system, as well as for applications and devices. It is used to store information about the hardware, software, user preferences, and system settings on a Windows computer. Following keys are added under Real-Time Protection:
- DisableBehaviourMonitoring
- DisableIOAVProtection
- DisableOnAccessProtection
- DisableRealtimeMonitoring
- DisableScanOnRealitimeEnable
Figure 14: Keys added in Registry
By doing so malware is restricting all the normal users from turning the Windows Defender on. When attackers disable Windows Defender through the registry, the change is likely to persist even if the user or administrator tries to re-enable it through the Windows Defender settings. This allows the attacker to maintain control over the system for a longer period. This supports malwares of further stages to easily execute themselves without any hinderances. This can be leveraged by all the malwares, regardless of their correspondence to this very campaign.
Stage 4: Analysis of vona.exe
Vona.exe, a variant of the Amadey malware family, is compiled in C/C++ and is 236 KB in size. This is the last file to be executed from the current cluster. When executed, a highly extensive process tree quickly appeared.
Figure 15: Process tree of vona.exe
Stage 5: Analysis of mnolyk.exe
An immediate child process of vona.exe is mnolyk.exe, another Amadey component, is dropped in a folder in TEMP folder.
Figure 16: mnolyk.exe dropped in TEMP folder
Mnolyk.exe makes active connections to IP addresses 62.204.41.5 and 62.204.41.251
Malicious DLLs are downloaded from 62.204.41.5, which are executed later in the campaign. The target was made to search for two different DLLs, namely cred.dll and clip.dll.
Figure 17: Malicious dlls downloaded
From 62.204.41.251, various exe files are downloaded to the TEMP folder, and later executed. Exes downloaded are:
fuka.exe
Figure 18: fuka.exe
nikas.exe
Figure 19: nikas.exe
igla.exe
Figure 20: igla.exe
nocr.exe
Figure 21: nocr.exe
lebro.exe
Figure 22: lebro.exe
Following the execution of mnolyk.exe, a series of schtasks.exe and cacls.exe were executed.
The command line for schtasks.exe is “C:WindowsSystem32schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:UserstestAppDataLocalTemp5eb6b96734mnolyk.exe” /F
- “/Create” – This is the command to create a new scheduled task.
- “/SC MINUTE” – This parameter sets the scheduling interval for the task to “MINUTE”. The task will run every minute.
- “/MO 1” – This parameter sets the repeat count to “1”. The task will run only once.
- “/TN” – This parameter specifies the name of the task. The name should be specified after the “/TN” parameter.
So, the entire command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled task that runs once every minute. The name of the task specified is the path to mnolyk.exe.
There were several instances of cacls.exe created. One of them is explained here along with its parameter. The command line is “CACLS ”mnolyk.exe” /P “test:R” /E”
- “CACLS” – This is the command to change the ACL of a file.
- “mnolyk.exe” – This is the file for which the ACL will be modified.
- “/P test:R” – This parameter specifies the permission change for a user named “test”. The “:R” at the end indicates that the “test” user will be granted “Read” permission.
- “/E” – This parameter specifies that the ACL change will be made to the file’s effective ACL. The effective ACL is the actual set of permissions that are applied to the file.
So, the entire command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” user or group “Read” permission to the “mnolyk.exe” file. Hence the user “test” can neither write nor delete this file. If in place of “/P test:R”, “/P test:N” was mentioned, which is mentioned in one of the command line, it would give “None” permission to the user.
Stage 6: Analyzing fuka.exe, nikas.exe, igla.exe, nocr.exe and lebro.exe
Fuka.exe
Fukka.exe, a variant of the Redline Stealer malware family, is 175 KB and is compiled in .NET. The original name of the file is Samarium.exe. It shows some network activity with IP 193.233.20.11.
Figure 23: Network activity of fuka.exe
Nikas.exe
Nikas.exe is 248 KB executable file compiled in C/C++. It disables automatic updates for Windows and checks the status of all the sub-fields of Real-Time Protection that were previously changed by mika.exe. No network activity was found during replication.
Igla.exe
Igla.exe is 520 KB file, compiled in C/C++. The original name of the file is WEXTRACT.EXE.MUI. Like we saw in cydn.exe, this PE has also two more exes packed in its resource section, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, followed by cmkmka.exe.
Figure 24: RUNPROGRAM attribute in igla.exe
Figure 25: POSTRUNPROGRAM attribute in igla.exe
bvPf.exe
bvPf.exe is 306 KB in size and is compiled in C/C++. The original filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system.
The exe has tried connecting to 193.233.20.11, but server did not respond, and no communication took place.
cmkmka.exe
cmkmka.exe is 32-bit PE file, 283.5 KB in size. It further launches AppLaunch.exe which communicates to C2.
It communicates to the IP address: 176.113.115.17 which is an active C2 for Redline Stealer and connects to the port 4132.
Figure 26: Data exfiltration
The blue-colored content in the data indicates the information being transmitted from the Command and Control (C2) server, which is providing instructions to the malware regarding the specific data that needs to be retrieved along with their corresponding paths. These paths include user profiles of different web browsers, various crypto wallet paths, and other related data.
As a response, all the data residing at the specified paths is sent back to the C2 server of the malware. This includes all the profiles of different web browsers, information related to crypto wallets, and even user-related data from the Windows operating system. This process allows the C2 server to collect a vast amount of sensitive information from the infected system, which could be exploited by the attackers for malicious purposes.
Nocr.exe
Nocr.exe, a component of Redline Stealer, is a 175 KB .NET binary. The original name of the file is Alary.exe. It communicates to the IP address 176.113.115.17.
Lebro.exe
Lebro.exe, a component of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is responsible for executing nbveek.exe, which is a next stage of the malware. The file is again dropped in TEMP folder.
Figure 27: Dropping another executable in TEMP folder
Stage 7: Analyzing nbveek.exe
The hashes of lebro.exe and nbveek.exe are same, they are the same binaries, hence it is Amadey. It is connecting to IP 62.204.41.88.
Figure 28: Network activity of nbveek.exe
The target system executes a php file, and the content of file includes the command to download another exe called setupff.exe. This exe is downloaded to the TEMP folder.
Before setupff.exe is executed, again the series of schtasks.exe and cacls.exe are executed which were seen previously also. The same parameters were passed for nbveek.exe as they were for mnolyk.exe.
Setupff.exe
Setupff.exe is compiled in C/C++ and is 795 KB. The file could not execute and threw Windows error.
Stage 8: Final stage
Later, another instance of setupff.exe was created which further invokes multiple instances of rundll32.exe. Here, the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe. McAfee Labs detects these dlls to be Amadey maware.
The network activity shows the dll to be connecting to 62.204.41.88. This dll again starts exfiltrating data to C2:
Figure 29:Data exfiltration
To conclude, the threat posed by the multi-stage attack that drops the Amadey botnet, and subsequently Redline Stealer, is significant and requires constant vigilance from both consumers and security professionals. By using the Amadey botnet as a delivery mechanism for other malware, attackers can leverage these same capabilities to evade detection and maintain persistence on infected computers. They can use Amadey to drop a wide range of malware, such as spyware, ransomware, and trojans, which can be used for a variety of malicious purposes, such as stealing sensitive information, encrypting files for ransom, or taking control of a computer for use in a larger botnet. Our analysis of various samples of this attack has revealed that the Amadey botnet distributes malware from multiple families and is not restricted to Redline Stealer alone.
At McAfee, we are committed to providing our customers with robust and effective antivirus and anti-malware solutions that can detect and protect against threats like the Amadey botnet and other malware families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats before they can cause damage.
Indicators of Compromise (IOCs):
File Type | SHA-256 | Product | Detection |
.exe | 80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376 | Total Protection and LiveSafe | Downloader-FCND Lockbit-FSWW PWS-FDON |
.exe | d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800 | Total Protection and LiveSafe | PWS-FDON Lockbit-FSWW |
.exe | 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5 | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 | Total Protection and LiveSafe | PWS-FDON |
.exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
.exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
.exe | 8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2 | Total Protection and LiveSafe | AgentTesla-FCYU |
.exe | 021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1 | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | 54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc | Total Protection and LiveSafe | GenericRXVK-HF |
.exe | 0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f | Total Protection and LiveSafe | AgentTesla-FCYU |
.exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
.exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
.exe | d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41 | Total Protection and LiveSafe | GenericRXVJ-QP |
.dll | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 | Total Protection and LiveSafe | PWS-FDOE |
.dll | 10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8 | Total Protection and LiveSafe | Trojan-FUUW |
.dll | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 | Total Protection and LiveSafe | Trojan-FUUW |
IPv4 | 193.233.20.7 | ||
IPv4 | 62.204.41.5 | ||
IPv4 | 62.204.41.251 | ||
IPv4 | 193.233.20.11 | ||
IPv4 | 176.113.115.17 | ||
IPv4 | 62.204.41.88 |