New Alert: Amadey Trojan Spearheads APT-C-36’s Malicious Campaign

Amadey Trojan

Specialists from the 360 Threat Intelligence Center’s cybersecurity team have unveiled a new campaign by APT-C-36, notorious for its targeted phishing onslaughts. This time, the cyber felons have escalated their assaults by integrating the Amadey Trojan into a malicious PDF dissemination operation.

First emerging in the cyber realm in October 2018, the Amadey Trojan is a modular botnet with capabilities to circumvent internal network defenses, pilfer information, remotely control infected systems, and launch DDoS attacks, among other nefarious activities.

Amadey Trojan

The unearthed documents harbor a malicious VBS script, stealthily fetched from cloud services and disguised as an encrypted compressed bundle. Upon activation, the script employs Powershell to execute malevolent code cloaked in Base64 encoding.

The arsenal of downloaded payloads includes the net_dll — a component frequently utilized by APT-C-36 for Reflective DLL Loading, as well as the Trojan Amadey itself. With this Trojan, perpetrators can execute a broad array of operations, encompassing data theft and lateral movement within the network’s confines.

During the assault, the Trojan amalgamates with the system process, allowing it to operate covertly within the infected ecosystem. Subsequently, Amadey, having seized control, downloads additional malicious files, including components for harvesting confidential information and executing sinister scripts.

Every phase of the attack is meticulously orchestrated with a Command and Control (C2) server, which receives intel from the Trojan about the compromised computer. This communication facilitates the APT-C-36 operators to oversee the deployment of malware and data exfiltration.

It is noteworthy that the tactics employed in this attack mirror those leveraged by hackers in the past, attesting to their fidelity to tried-and-true methodologies. Nevertheless, the zealous integration of novel tools and refinement of existing tactics indicate that APT-C-36 is continually honing its capabilities.

Experts warn that the group’s activities are not confined to a single region; their attacks have global ramifications. As APT-C-36’s tactics and tools evolve, we can anticipate an escalation in the volume and complexity of targeted attacks, necessitating heightened cyber defense vigilance by both organizations and individuals.