A concerning cybersecurity development has been uncovered by Cyble Research & Intelligence Labs (CRIL). They have discovered that a threat actor has utilized the Amadey bot to spread SectopRAT, signaling the emergence of a new wave of cyber attacks. This operation involves the LummaC information stealer, which has joined forces with the Amadey bot malware and SectopRAT to form a malicious alliance. CRIL’s investigation has provided insight into the intricate workings of this campaign, shedding light on how the Amadey bot malware is used to distribute the SectopRAT payload obtained from the LummaC stealer.
The LummaC information stealer operates within Russian-speaking forums and operates under a Malware-as-a-Service (MaaS) model. This allows it to illegally harvest sensitive data from compromised devices. Its targets include cryptocurrency wallets, two-factor authentication codes, browser extensions, and other critical files and documents.
To understand the attack chain employed by LummaC, Amadey, and SectopRAT, it is important to examine the events associated with each threat. The LummaC information stealer introduces a unique twist to its campaign by introducing a secondary malware payload known as the Amadey bot. This bot is skilled in replication and gains access through a concealed LNK file in the startup folder. Once activated, the LNK file triggers a series of events that initiate an infection chain on the victim’s device. The LummaC stealer then retrieves the Amadey bot malware, which, in turn, fetches the SectopRAT payload. This complex web of interactions often begins with the LummaC information stealer exploiting phishing websites disguised as legitimate software sources. Through this disguise, the stealer infiltrates victim systems, making its way onto unsuspecting computers.
Through technical analysis, CRIL has discovered that the LummaC information stealer uses ZIP files to carry its malicious payload. These files are concealed under names like “Newest_Setup_123_UseAs_PassKey.zip” and “Passw0rdz_113355_Open_Setup_App.zip,” luring victims into a trap.
Underlying this attack strategy are two executable files: “Setup.exe” and a 32-bit GUI-based .NET Reactor executable. When these files are initiated, they extract sensitive data from the victim’s device. The LummaC information stealer meticulously gathers system details, such as operating system information, hardware configuration, and screen resolutions. It also focuses on extracting information about the victim’s web browser, particularly cryptocurrency wallets and two-factor authentication extensions. The stolen information is then sent to a command-and-control server, completing the attack chain.
The Amadey bot, a versatile malware that was discovered in 2018, has become a favored tool for hackers looking to introduce additional malware payloads to their attacks. The Lockbit ransomware group, in particular, has been observed using the Amadey bot to target victims.
Finally, the SectopRAT, a popular Remote Access Trojan (RAT) developed using a .NET compiler, serves as the final payload in this campaign. With its diverse capabilities, SectopRAT can extract browser data, infiltrate cryptocurrency wallets, and even manipulate browser sessions by creating a hidden secondary desktop. By employing Anti-VM and Anti-Emulator mechanisms, SectopRAT operates stealthily in the background, siphoning information from unsuspecting victims.
The revelation of the LummaC-Amadey-SectopRAT alliance showcases a new level of cyber threat sophistication. This coordinated attack chain unveils the evolving tactics of cybercriminals, from data gathering to payload distribution. It serves as a stark reminder of the importance of strong cybersecurity measures to protect against such threats.