According to the new AHNLAB report, during the latest malicious campaigns, it began to spread in two ways:
Using a malicious Word document with a VBA macro, which works after the victim opens it. This macro launches a PowerShell team for loading and starting Amadey.
Using a executable file (“Resume.exe”), which is masked under the Word document and is distributed through phishing messages.
For the first time, Amadey was discovered in 2018. Experts describe it as a botnet project to collect personal information of victims, which is sold in a darknet at a price of up to $ 600. And although its main function is the collection of confidential information from infected nodes, it is also used as a dropper for other malicious ones.
А последний отчет AhnLab основан на Word-файле под названием ” 심시아.docx “, который был загружен On Virustotal October 28, 2022. According to experts, AMADEY immediately after launch receives and launches additional commands that deploy extortion on Lockbit in one of two formats: PowerShell (.PS1) or (.Exe).
Recall that this year we reported about another malicious campaign, during which the cracks were used to spread Amadey through Smokeloader.