Amadey is a malware that steals sensitive information from infected Windows endpoints. This malware was first discovered in 2018 and has maintained a persistent botnet infrastructure since then. It has the capability to download additional malware from a command and control (C2) server on the infected endpoints. The malware sends stolen information to a remote C2 server through HTTP POST requests.
Amadey malware can also add infected endpoints to a botnet that threat actors can use to launch distributed denial of service (DDOS) attacks. Threat actors usually distribute Amadey through cracked versions of legitimate software and keygens.
This blog post shows how we use Wazuh to detect Amadey malware on an infected Windows endpoint.
Behavioral analysis of Amadey
- Amadey downloads
clip64.dll
andcred64.dll
files from a C2 server and saves these files in theC:\Users\<USER_NAME>\AppData\Roaming\<FOLDER>
folder. Amadey utilizes the Windowsrundll32.exe
utility to execute these DLL files. It uses these DLL files to steal sensitive information from infected endpoints. - Amadey sends the stolen information in a structured string format to its C2 server through an HTTP POST request. The stolen information includes the computer name (pc), username (un), admin privilege status (ar), and anti-malware software installed (av).
id=101495022937&vs=3.86&sd=88c8bb&os=1&bi=1&ar =1&pc =Windows-10un =Administrator&dm=&av =13&lv=0&og=1 |
- The malware modifies the
Startup
value of theHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Windows registry key to maintain persistence upon system reboot. - Amadey creates a copy of itself in the
C:\Users\<USER_NAME>\AppData\Local\Temp\<FOLDER> and C:\Windows\System32\Tasks
folders. - Amadey changes the permission of the dropped copy of itself to read-only mode by executing the following command. This prevents the current active user on the infected endpoint from deleting the dropped copy of Amadey malware.
cmd.exe\\\" /k echo Y|CACLS \\\"{DROPPED_COPY_OF_AMADEY_MALWARE}\\" /P \\\"Administrator:N\\\"
Infrastructure
We use the following infrastructure to demonstrate how Wazuh can detect Amadey:
- A pre-built, ready-to-use Wazuh OVA 4.5.0: Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). This VM has a static IP address of 192.168.0.120.
- A Windows 10 endpoint: The victim endpoint has Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. Refer to the following guide to install the Wazuh agent. This endpoint has a static IP address of 192.168.0.110.
- An Ubuntu 22.04 endpoint: A Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. We install Suricata on this endpoint. The Ubuntu endpoint has a static IP address of 192.168.0.250.
Detection with Wazuh
In this blog post, we use the following techniques to detect the malicious activities of Amadey on a Windows 10 endpoint:
- Wazuh detection rules: To detect malicious activities of Amadey.
- Suricata integration with Wazuh: To detect the network connection Amadey makes to its C2 server.
Wazuh detection rules
We use Sysmon to monitor several system events and create rules on the Wazuh server to detect the malicious activities performed by Amadey.
Victim endpoint
In this section, we install Sysmon on the Windows endpoint and configure the Wazuh agent to collect Sysmon logs.
Follow the steps below to detect the malicious activities performed by Amadey malware on the Windows endpoint.
1. Download Sysmon and the configuration file sysmonconfig.xml.
2. Edit the sysmonconfig.xml
file and include the following configuration within the <EventFiltering>
block. This configuration records any file whose full path contains \AppData\Roaming\
:
<FileCreate onmatch="include"> <TargetFilename condition="contains">\AppData\Roaming\</TargetFilename> </FileCreate>
3. Launch PowerShell with administrative privilege, and install Sysmon as follows:
> .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf
file and include the following settings within the <ossec_config>
block.
<!-- Configure Wazuh agent to receive events from Sysmon --> <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent for the changes to take effect:
> Restart-Service -Name wazuh
Wazuh server
Perform the following steps to configure detection rules on the Wazuh server.
1. Create a new file /var/ossec/etc/rules/amadey_malware.xml
on the Wazuh server:
# touch /var/ossec/etc/rules/amadey_malware.xml
2. Edit the file /var/ossec/etc/rules/amadey_malware.xml
and include the following detection rules for Amadey malware:
<group name="windows,sysmon,amadey_detection_rule,"> <!-- Amadey downloads malicious DLL files on victim endpoint --> <rule id="100090" level="10"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\appdata\\\\.+(clip64|cred64).+dll</field> <description>Possible Amadey malware detected. $(win.eventdata.targetFilename) was downloaded on $(win.system.computer).</description> </rule> <!-- Amadey loads malicious DLL files --> <rule id="100091" level="12"> <if_sid>61609</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\rundll32.exe</field> <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\\\appdata\\\\.+(clip64|cred64)\.dll</field> <description>Possible Amadey malware detected. Malicious $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image).</description> <mitre> <id>T1574.002</id> </mitre> </rule> <!-- Amadey changes the permission of the dropped copy of itself --> <rule id="100092" level="8"> <if_sid>61603</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\cacls.exe</field> <match type="pcre2">\\\\cmd.exe\\\" /k echo Y|CACLS \\\".+\.exe\\\" /P \\\"Administrator</match> <description>Possible Amadey malware detected. Malware changes the permission of the dropped copy of itself to read-only mode.</description> <mitre> <id>T1222.001</id> </mitre> </rule> <!-- Amadey achieves persistence --> <rule id="100093" level="12"> <if_sid>61615</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\Users\\\\.+\\\\appdata\\\\local\\\\temp\\\\.+\.(exe|msi|dll|bat)</field> <field name="win.eventdata.targetObject" type="pcre2">(?i)HKU\\\\S.+\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\user shell folders\\\\startup</field> <description>Possible Amadey malware detected. Malware changes the "Startup" value within the "User Shell Folders" Windows registry key to achieve persistence.</description> <mitre> <id>T1547</id> </mitre> </rule> </group>
Where:
- Rule ID
100090
is triggered when Amadey malware downloads malicious DLL files on the victim endpoint. - Rule ID
100091
is triggered when Amadey malware loads the downloaded malicious DLL files on the victim endpoint. - Rule ID
100092
is triggered when Amadey changes the file permission of the dropped copy of itself to read-only mode. - Rule ID
100093
is triggered when Amadey changes theStartup
value within theUser Shell Folders
Windows registry key to achieve persistence upon system reboot.
Detection results
The alerts below are generated on the Wazuh dashboard when we run Amadey malware on the Windows endpoint.
Figure 1: Malicious DLL downloaded and loaded by Amadey malware.
Figure 2: Amadey changes the permission of a copy of itself and achieves persistence.
Suricata integration with Wazuh
In this section, we install Suricata on an Ubuntu endpoint and integrate Suricata with the Wazuh server. Finally, we create a rule to detect the network connection Amadey makes to its C2 server.
Ubuntu endpoint
Note: In this blog post, the Ubuntu endpoint is hosted on an Oracle VirtualBox with Promiscuous mode
set to Allow All
by navigating to Settings>Network>Advanced
. This setting allows Suricata to monitor all network traffic, therefore generating a high amount of alerts on the Wazuh dashboard.
1. Install Suricata on the Ubuntu endpoint to monitor network traffic within your environment:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
2. Run the following command to obtain the interface name of the Ubuntu endpoint:
$ ip -brief a
In this case, the output shows that the interface name is enp0s3
:
lo UNKNOWN 127.0.0.1/8 ::1/128 enp0s3 UP 192.168.0.250/24 fe80::a00:27ff:feb6:d803/64
3. Add the network interface to monitor in the Suricata configuration file. Find the af-packet
section in the /etc/suricata/suricata.yaml
file, and replace eth0
with the interface name of the Ubuntu endpoint:
af-packet: - interface: eth0 # Number of received threads. "auto" uses the number of cores #threads: auto
4. Download the Emerging Threats Open ruleset:
$ sudo suricata-update
5. Test your Suricata configuration:
$ sudo suricata -T -c /etc/suricata/suricata.yaml -v
You should have a similar output if your configuration is valid:
Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 35230 rules successfully loaded, 0 rules failed Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 35233 signatures processed. 1341 are IP-only rules, 5250 are inspecting packet payload, 28430 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting.
6. Run the commands to start Suricata, and also enable it to start at system reboot:
$ sudo systemctl enable suricata $ sudo systemctl start suricata
7. Edit the Wazuh agent /var/ossec/etc/ossec.conf
file and add the following configuration within the <ossec_config>
block:
<!-- Configure Wazuh agent to collect and forward the Suricata logs to the Wazuh server for analysis --> <localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile>
8. Restart the Wazuh agent service for the changes to take effect:
$ sudo systemctl restart wazuh-agent
Wazuh server
Perform the following steps to add a rule to detect when Amadey malware makes a connection to a C2 server.
1. Edit the file /var/ossec/etc/rules/amadey_malware.xml
on the Wazuh server and append the following configuration:
<group name="detect_amadey_c2_connection,"> <!-- Amadey connects to its C2 server to exfiltrate data from an infected endpoint --> <rule id="100094" level="10"> <if_sid>86601</if_sid> <field name="event_type">^alert$</field> <match>ET MALWARE Win32/Amadey Bot Activity (POST) M2</match> <description>Amadey malware detected. Possible data exfiltration to a command and control server.</description> <mitre> <id>T1041</id> </mitre> </rule> <!-- This rule ignores noisy Suricata alerts --> <rule id="100095" level="0"> <if_sid>86601</if_sid> <field name="event_type">^alert$</field> <match type="pcre2">(?i)(SURICATA stream packet with invalid timestamp)|(SURICATA applayer detect protocol only one direction)</match> <description>No Suricata alert.</description> </rule> </group>
Where:
- Rule ID
100094
is triggered when Amadey malware connects to its C2 server to exfiltrate data from an infected endpoint. - Rule ID
100095
is used to suppress noisy Suricata alerts.
Note: Rule ID 100095
is specific to our setup. You can use a similar rule to suppress noisy Suricata alerts in your environment.
2. Restart the Wazuh manager for the changes to take effect:
$ sudo systemctl restart wazuh-manager
The below alerts are generated on the Wazuh dashboard when Amadey makes a network connection to its C2 server from an infected Windows endpoint.
Figure 3: Amadey connects to its C2 server to exfiltrate data from an infected endpoint.
Conclusion
In this blog post, we have successfully used Wazuh to detect the behavior of Amadey malware. Specifically, we used Sysmon and Suricata integration with Wazuh to detect Amadey malware on a Windows endpoint.
Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.
References