Detecting Amadey malware with Wazuh

| by Benjamin Nworah | Wazuh 4.5.0.
Post icon

Amadey is a malware that steals sensitive information from infected Windows endpoints. This malware was first discovered in 2018 and has maintained a persistent botnet infrastructure since then. It has the capability to download additional malware from a command and control (C2) server on the infected endpoints. The malware sends stolen information to a remote C2 server through HTTP POST requests. 

Amadey malware can also add infected endpoints to a botnet that threat actors can use to launch distributed denial of service (DDOS) attacks. Threat actors usually distribute Amadey through cracked versions of legitimate software and keygens.

This blog post shows how we use Wazuh to detect Amadey malware on an infected Windows endpoint.

Behavioral analysis of Amadey

  • Amadey downloads clip64.dll and cred64.dll files from a C2 server and saves these files in the C:\Users\<USER_NAME>\AppData\Roaming\<FOLDER> folder. Amadey utilizes the Windows rundll32.exe utility to execute these DLL files.  It uses these DLL files to steal sensitive information from infected endpoints.
  • Amadey sends the stolen information in a structured string format to its C2 server through an HTTP POST request. The stolen information includes the computer name (pc), username (un), admin privilege status (ar), and anti-malware software installed  (av).
id=101495022937&vs=3.86&sd=88c8bb&os=1&bi=1&ar=1&pc=Windows-10un=Administrator&dm=&av=13&lv=0&og=1
  • The malware modifies the Startup value of the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Windows registry key to maintain persistence upon system reboot.
  • Amadey creates a copy of itself in the C:\Users\<USER_NAME>\AppData\Local\Temp\<FOLDER> and C:\Windows\System32\Tasks folders.
  • Amadey changes the permission of the dropped copy of itself to read-only mode by executing the following command. This prevents the current active user on the infected endpoint from deleting the dropped copy of Amadey malware.
cmd.exe\\\" /k echo Y|CACLS \\\"{DROPPED_COPY_OF_AMADEY_MALWARE}\\" /P \\\"Administrator:N\\\"

Infrastructure

We use the following infrastructure to demonstrate how Wazuh can detect Amadey:

  • A pre-built, ready-to-use Wazuh OVA 4.5.0: Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). This VM has a static IP address of 192.168.0.120.
  • A Windows 10 endpoint: The victim endpoint has Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. Refer to the following guide to install the Wazuh agent. This endpoint has a static IP address of 192.168.0.110.
  • An Ubuntu 22.04 endpoint: A Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. We install Suricata on this endpoint. The Ubuntu endpoint has a static IP address of 192.168.0.250.

Detection with Wazuh

In this blog post, we use the following techniques to detect the malicious activities of Amadey on a Windows 10 endpoint:

  • Wazuh detection rules: To detect malicious activities of Amadey.
  • Suricata integration with Wazuh: To detect the network connection Amadey makes to its C2 server.

Wazuh detection rules

We use Sysmon to monitor several system events and create rules on the Wazuh server to detect the malicious activities performed by Amadey.

Victim endpoint

In this section, we install Sysmon on the Windows endpoint and configure the Wazuh agent to collect Sysmon logs.

Follow the steps below to detect the malicious activities performed by Amadey malware on the Windows endpoint.

1. Download Sysmon and the configuration file sysmonconfig.xml.

2. Edit the sysmonconfig.xml file and include the following configuration within the <EventFiltering> block. This configuration records any file whose full path contains \AppData\Roaming\:

<FileCreate onmatch="include">
  <TargetFilename condition="contains">\AppData\Roaming\</TargetFilename>
</FileCreate>

 3. Launch PowerShell with administrative privilege, and install Sysmon as follows:

> .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following settings within the <ossec_config> block.

<!-- Configure Wazuh agent to receive events from Sysmon -->
<localfile>   
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

5. Restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure detection rules on the Wazuh server.

1. Create a new file /var/ossec/etc/rules/amadey_malware.xml on the Wazuh server:

# touch /var/ossec/etc/rules/amadey_malware.xml

2. Edit the file /var/ossec/etc/rules/amadey_malware.xml and include the following detection rules for Amadey malware:

<group name="windows,sysmon,amadey_detection_rule,">
<!-- Amadey downloads malicious DLL files on victim endpoint -->
  <rule id="100090" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\appdata\\\\.+(clip64|cred64).+dll</field>
    <description>Possible Amadey malware detected. $(win.eventdata.targetFilename) was downloaded on $(win.system.computer).</description>
  </rule>
<!-- Amadey loads malicious DLL files -->
  <rule id="100091" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\rundll32.exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\\\appdata\\\\.+(clip64|cred64)\.dll</field>
    <description>Possible Amadey malware detected. Malicious $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image).</description>
    <mitre>
      <id>T1574.002</id>
    </mitre>
  </rule>
<!-- Amadey changes the permission of the dropped copy of itself -->
  <rule id="100092" level="8">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\cacls.exe</field>
    <match type="pcre2">\\\\cmd.exe\\\" /k echo Y|CACLS \\\".+\.exe\\\" /P \\\"Administrator</match>
    <description>Possible Amadey malware detected. Malware changes the permission of the dropped copy of itself to read-only mode.</description>
    <mitre>
      <id>T1222.001</id>
    </mitre>
  </rule>
<!-- Amadey achieves persistence --> 
 <rule id="100093" level="12">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\Users\\\\.+\\\\appdata\\\\local\\\\temp\\\\.+\.(exe|msi|dll|bat)</field>
    <field name="win.eventdata.targetObject" type="pcre2">(?i)HKU\\\\S.+\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\user shell folders\\\\startup</field>
    <description>Possible Amadey malware detected. Malware changes the "Startup" value within the "User Shell Folders" Windows registry key to achieve persistence.</description>
    <mitre>
      <id>T1547</id>
    </mitre>
  </rule>
</group>

Where:

  • Rule ID 100090 is triggered when Amadey malware downloads malicious DLL files on the victim endpoint.
  • Rule ID 100091 is triggered when Amadey malware loads the downloaded malicious DLL files on the victim endpoint.
  • Rule ID 100092 is triggered when Amadey changes the file permission of the dropped copy of itself to read-only mode.
  • Rule ID 100093 is triggered when Amadey changes the Startup value within the User Shell Folders Windows registry key to achieve persistence upon system reboot.

Detection results

The alerts below are generated on the Wazuh dashboard when we run Amadey malware on the Windows endpoint.

Amadey Malware

Figure 1: Malicious DLL downloaded and loaded by Amadey malware.

Amadey Changes

Figure 2: Amadey changes the permission of a copy of itself and achieves persistence.

Suricata integration with Wazuh

In this section, we install Suricata on an Ubuntu endpoint and integrate Suricata with the Wazuh server. Finally, we create a rule to detect the network connection Amadey makes to its C2 server.

Ubuntu endpoint

Note: In this blog post, the Ubuntu endpoint is hosted on an Oracle VirtualBox with Promiscuous mode set to Allow All by navigating to Settings>Network>Advanced. This setting allows Suricata to monitor all network traffic, therefore generating a high amount of alerts on the Wazuh dashboard.

1. Install Suricata on the Ubuntu endpoint to monitor network traffic within your environment:

sudo add-apt-repository ppa:oisf/suricata-stable 
sudo apt-get update
sudo apt-get install suricata

2. Run the following command to obtain the interface name of the Ubuntu endpoint:

$ ip -brief a

In this case, the output shows that the interface name is enp0s3:

lo               UNKNOWN        127.0.0.1/8 ::1/128
enp0s3           UP             192.168.0.250/24 fe80::a00:27ff:feb6:d803/64

3. Add the network interface to monitor in the Suricata configuration file. Find the af-packet section in the /etc/suricata/suricata.yaml file, and replace eth0 with the interface name of the Ubuntu endpoint:

af-packet:
  - interface: eth0
    # Number of received threads. "auto" uses the number of cores
    #threads: auto

4. Download the Emerging Threats Open ruleset:

$ sudo suricata-update

5. Test your Suricata configuration:

$ sudo suricata -T -c /etc/suricata/suricata.yaml -v

You should have a similar output if your configuration is valid:

Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 2
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 2 rule files processed. 35230 rules successfully loaded, 0 rules failed
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 35233 signatures processed. 1341 are IP-only rules, 5250 are inspecting packet payload, 28430 inspect application layer, 108 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.

6. Run the commands to start Suricata, and also enable it to start at system reboot:

$ sudo systemctl enable suricata
$ sudo systemctl start suricata

7. Edit the Wazuh agent /var/ossec/etc/ossec.conf file and add the following configuration within the <ossec_config> block:

<!-- Configure Wazuh agent to collect and forward the Suricata logs to the Wazuh server for analysis -->
<localfile>
  <log_format>json</log_format>
  <location>/var/log/suricata/eve.json</location>
</localfile>

8.  Restart the Wazuh agent service for the changes to take effect:

$ sudo systemctl restart wazuh-agent

Wazuh server

Perform the following steps to add a rule to detect when Amadey malware makes a connection to a C2 server.

1. Edit the file /var/ossec/etc/rules/amadey_malware.xml on the Wazuh server and append the following configuration:

<group name="detect_amadey_c2_connection,">
<!-- Amadey connects to its C2 server to exfiltrate data from an infected endpoint -->  
  <rule id="100094" level="10">
    <if_sid>86601</if_sid>
    <field name="event_type">^alert$</field>
    <match>ET MALWARE Win32/Amadey Bot Activity (POST) M2</match>
    <description>Amadey malware detected. Possible data exfiltration to a command and control server.</description>
    <mitre>
      <id>T1041</id>
    </mitre>
  </rule>
<!-- This rule ignores noisy Suricata alerts -->
  <rule id="100095" level="0">
    <if_sid>86601</if_sid>
    <field name="event_type">^alert$</field>
    <match type="pcre2">(?i)(SURICATA stream packet with invalid timestamp)|(SURICATA applayer detect protocol only one direction)</match>
    <description>No Suricata alert.</description>
  </rule>
</group>

Where:

  • Rule ID 100094 is triggered when Amadey malware connects to its C2 server to exfiltrate data from an infected endpoint.
  • Rule ID 100095 is used to suppress noisy Suricata alerts.

Note: Rule ID 100095 is specific to our setup. You can use a similar rule to suppress noisy Suricata alerts in your environment.

2. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

The below alerts are generated on the Wazuh dashboard when Amadey makes a network connection to its C2 server from an infected Windows endpoint.

Amadey Connect

Figure 3: Amadey connects to its C2 server to exfiltrate data from an infected endpoint.

Conclusion

In this blog post, we have successfully used Wazuh to detect the behavior of Amadey malware. Specifically, we used Sysmon and Suricata integration with Wazuh to detect Amadey malware on a Windows endpoint.

Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References