S1025 Amadey
Amadey is a Trojan bot that has been used since at least October 2018.12
| Item | Value |
|---|---|
| ID | S1025 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 14 July 2022 |
| Last Modified | 07 May 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Amadey has used HTTP for C2 communications.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.12 |
| enterprise | T1005 | Data from Local System | Amadey can collect information from a compromised host.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Amadey has decoded antivirus name strings.1 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.001 | Fast Flux DNS | Amadey has used fast flux DNS for its C2.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Amadey has sent victim data to its C2 servers.2 |
| enterprise | T1083 | File and Directory Discovery | Amadey has searched for folders associated with antivirus software.1 |
| enterprise | T1105 | Ingress Tool Transfer | Amadey can download and execute files to further infect a host machine with additional malware.2 |
| enterprise | T1112 | Modify Registry | Amadey has overwritten registry keys for persistence.2 |
| enterprise | T1106 | Native API | Amadey has used a variety of Windows API calls, including GetComputerNameA, GetUserNameA, and CreateProcessA.2 |
| enterprise | T1027 | Obfuscated Files or Information | Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Amadey has checked for a variety of antivirus products.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.005 | Mark-of-the-Web Bypass | Amadey has modified the :Zone.Identifier in the ADS area to zero.1 |
| enterprise | T1082 | System Information Discovery | Amadey has collected the computer name and OS version from a compromised machine.12 |
| enterprise | T1614 | System Location Discovery | Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.2 |
| enterprise | T1016 | System Network Configuration Discovery | Amadey can identify the IP address of a victim machine.2 |
| enterprise | T1033 | System Owner/User Discovery | Amadey has collected the user name from a compromised host using GetUserNameA.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 34 |
| G0092 | TA505 | 12 |
References
-
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. ↩↩↩↩↩↩↩↩↩
-
Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024. ↩
-
Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024. ↩