The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.
Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on the infected systems.[1] Additionally, in the second half of this year, Amadey was used in attacks involving LockBit 3.0, which targeted Korean corporate users. Amadey was distributed as attachments to spam emails and was responsible for installing LockBit Ransomware.[2]
While monitoring the actively distributed Amadey Bot, the ASEC analysis team found the Nitol DDoS Bot malware installing Amadey. Nitol is a DDoS Bot with a Denial of Service (DDoS) attack feature, and while its numbers have decreased recently, it is a malware that has been steadily used in attacks since long ago. For example, in 2021, there was a history of it being uploaded to a Korean forum archive, infecting many Korean users.[3]
Figure 1. The malware distribution posts that were uploaded on a Korean program-sharing websiteNitol Malware that installed Amadey is the same file as the malware covered in the above blog post. This tells us that even after over a year, it is still being used in attacks up until now. This file is being shared via torrent, disguised as cracks for Hancom and MS Office, and it is infecting many users even at the current moment. The following are the names of paths where Nitol was detected.
\Hancom 2020\crack.exe
\[Official Korean Version] Office 2007\setup.exe
\microsoft office 2016\setup.exe
\SketchUp Pro 2018\crack.exeNitol Malware Analysis
Nitol used in the attacks was packed with Themida to hinder analysis. Nitol is a DDoS Bot that supports various forms of DDoS attacks, and the one used in the attacks has 0x50 for its settings data. When it communicates with C&C servers, it stands by for 5 seconds and sets the system’s hidden files and folders to be invisible. The following is the settings data for Nitol.
| Bit Settings | Feature |
|---|---|
| 0x01 | Exclude installation process |
| 0x02 | Auto-delete |
| 0x04 | Check virtual environment |
| 0x08 | Check sandbox environment |
| 0x10 | Sleep (5 seconds) |
| 0x20 | Generate dummy packet |
| 0x40 | System configuration (does not display hidden files) |
| 0x80 | Assign hidden properties to the malware |
The virtual environment check uses the IN command to check whether it is running on a VMware virtual machine. As for sandbox environments, it checks whether the “api_log.dll” and “SbieDll.dll” DLLs are loaded. If it confirms that it’s in a virtual or sandbox environment, Nitol is shut down.
The dummy packet-generating option creates a random IP address and attempts to connect by matching the port number of an actual C&C address. When this process is successful, dummy data is transmitted. These behaviors are repeated 10 times, and it is likely that this is for the purpose of hindering network behavior analysis.
As the option that excludes the installation process is not activated in this malware, an installation process runs when the malware is executed. The installation process includes a self-copying stage where the malware copies itself under a random 6-character name in %APPDATA%, and a persistence maintaining stage where it uses the reg command to register itself to the Run key. When the installation process is complete, it executes the malware in the copied path and connects to the C&C server.
> “C:\Windows\System32\reg.exe” ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “My App” /t REG_SZ /F /D “C:\Users\vmuser\AppData\Roaming\gkqske.exe”
Currently, access to the C&C server is unavailable, but once the connection is successfully established, the malware transmits basic information about the infected system, as shown below.
| Offset | Data |
|---|---|
| +0x0000 | 0x00000001 |
| +0x0004 | Language and country information (Locale) |
| +0x0044 | Computer name |
| +0x00C4 | Windows version |
| +0x0104 | RAM size (GB) |
| +0x0124 | CPU performance (MHz) |
| +0x0144 | “Client” |
Figure 2. Past packet capturedWhen Nitol sends the infected system’s information to the C&C server, the server returns the command. The command can perform various functions including DDoS attacks, downloading files, and running updates. For reference, DDoS attacks were divided into three categories below, but the malware supports many more types of DDoS attacks.
Figure 3. User-Agent used in DDoS attacks| Command | Feature |
|---|---|
| 0x0002 | DDoS Attack #1 |
| 0x0003 | DDoS Attack #2 |
| 0x0004 | DDoS Attack #3 |
| 0x0005 | Stop DDoS attack |
| 0x0006 | Auto-delete |
| 0x0010 | Download and run payload (SW_HIDE) |
| 0x0011 | Download and run payload (SW_SHOW) |
| 0x0012 | Update |
| 0x0013 | Web page access via Internet Explorer (Hidden) |
| 0x0014 | Web page access via Internet Explorer (IE popup) |
| 0x0016 | Destroy MBR |
Out of the commands, there is one that receives a URL from the C&C server and connects to the corresponding web page using Internet Explorer. The command can be configured to access the web page unknown to the user or have Internet Explorer pop up to have users be aware.
Figure 4. Accessing web page using IEAdditionally, there is also a command that changes MBR to incapacitate the system after a reboot. When the system is restarted after the following data is written on MBR, it shows the string “Game Over” as shown below and makes the system unable to reboot.
Figure 5. MBR destruction routine
Figure 6. After rebootingNitol supports a command that downloads additional payloads, and this command was used to install Amadey Bot. The following are ASD (AhnLab Smart Defense) infrastructure logs that show Nitol having downloaded Amadey from an external address.
Figure 7. Nitol installing Amadey BotInstalling Additional Payloads Using Amadey (Amadey Bot, njRAT)
After being installed by Nitol, Amadey Bot attempts to connect to C&C servers. When this process is successful, Amadey downloads a plugin responsible for extorting information to collect information from the infected system and send them to the C&C server. Besides account credentials, Amadey also takes periodic screenshots and sends them to the C&C server. The following blog post goes into a detailed analysis of Amadey.
Figure 8. Amadey’s network trafficAn examination of the current version of Amadey shows that it receives a command from the C&C server to install additional payloads, and accordingly, it downloads and installs a total of 4 files. These files are Amadey, Nitol, and a downloader, The Nitol mentioned above is Type A, but Amadey also installs Nitol Type B.
- TeamViewerSetupx64.exe : Amadey
- TeamViewer_Desktop.exe : Nitol Type A
- explorer.exe : Nitol Type B
- ServiceManager.exe : Downloader (Dotnet Packer)
The top-level list of the addresses where the malware are downloaded from is unavailable, but it can be assumed that there are various other malware strains aside from those mentioned.
Figure 9. Download pageThe malware installed by the threat actor mimic original programs, with names such as TeamViewer, Explorer, and AnyDesk. The threat actor not only disguises the filename but also the icons to resemble the original programs when distributing the malware.
Figure 10. Icons of malware used in attacksTorrent is the main platform used in malware propagation alongside file-sharing sites. When installing cracks or keygen files of commercial software using torrents, there is a risk of being infected with malware disguised as these programs. When Nitol is installed, the user PC acts as a DDoS Bot and can be used in DDoS attacks. In addition, it can also be used for installing additional malware such as Amadey. As for Amadey, it stays in the infected system to not only extort user credentials but also install additional malware.
Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.
File Detection
– Backdoor/Win.Nitol.C4533062 (2021.06.24.01)
– Trojan/Win.Generic.R539958 (2022.12.09.01)
– Downloader/Win.Amadey.C5329944 (2022.12.12.01)
– Downloader/Win.MSIL.C5329945 (2022.12.12.01)
– Downloader/Win.Amadey.C5329946 (2022.12.12.01)
Behavior Detection
– Malware/MDP.Behavior.M3108
MD5
– 3038c7bb0f593df3f52f0644c894c7ba : Nitol Type A
– d332cf184ac8335d2c3581a48ee0ad87 : Amadey (AnyDesk.exe)
– 852011cf885e76c0441dd52fdd280db7 : Amadey (TeamViewerSetupx64.exe)
– 0c9df67f152a727b0832aa4e7f079a71 : Nitol Type A (TeamViewer_Desktop.exe)
– e79b48eefa43aa34f360f68618992236 : Nitol Type B (explorer.exe)
– f01b49498b82320973c6006ee117f91e : Dotnet Downloader (ServiceManager.exe)
C&C URL
– rlarnjsdud0502.kro.kr:2222 : Nitol Type A
– hxxp://AQWe9sfiWSwPyVMJ[.]xyz/jg94cVd30f/index.php : Amadey
– hxxp://PMVqdJfUf3WlX9kI[.]xyz/jg94cVd30f/index.php : Amadey
– hxxp://SmgqNt3EIxXkSAsU[.]xyz/jg94cVd30f/index.php : Amadey
– 45.89.255[.]250:50505 : Nitol Type A
– gy9.gyddos[.]com:8889 : Nitol Type B
– 45.89.255[.]250:40404 : Nitol Type B
– 45.89.255[.]250:30303 : Downloader (Dotnet Packer)
Download URL
– hxxp://45.89.255[.]250:8080/AnyDesk.exe : Amadey
– hxxp://45.89.255[.]250:8080/TeamViewer_Desktop.exe : Nitol Type A
– hxxp://45.89.255[.]250:8080/explorer.exe : Nitol Type B
– hxxp://45.89.255[.]250:8080/TeamViewerSetupx64.exe : Amadey
– hxxp://45.89.255[.]250:8080/ServiceManager.exe : Downloader (Dotnet Packer)
– hxxp://45.89.255[.]250:8080/Kwvwz.png : Dotnet Downloader
Reference
[1] [ASEC Blog] Amadey Bot Being Distributed Through SmokeLoader
[2] [ASEC Blog] LockBit 3.0 Being Distributed via Amadey Bot
[3] [ASEC Blog] Nitol Malware Being Distributed in Forum Archive
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Nitol DDoS Malware Installing Amadey Bot appeared first on ASEC BLOG.
Article Link: Nitol DDoS Malware Installing Amadey Bot - ASEC BLOG