Reversing Engineering Amadey Malware.
This particular blog is about the reversing “Amadey” stealthy information stealing malware of DPRK linked Thallium APT Group. This group is being seen collaborating with the other “cyber espionage” APT groups like APT-C-41 , APT41, APT28 , APT19 , APT-C-00 for targeting the Researchers performing research for nCoV-19 vaccine for stealing the research data of nCoV-19 from European countries, American countries and Asia’s countries.
Static and Dynamic Analysis
Static Analysis (Advanced)
For this blog, i will preferably ask you to read my last blog on APT-C-41 (StrongPity). It is available here.
Uncovering APT-C-41 (StrongPity) Backdoor
Reverse Engineering tool of Turkish Espionage and Cyber Crime Group.
As i am assuming that you have read the blog fully. So, i should go from the their what you have read there. Here also in this malware start function is similar to the malware of StrongPity (APT-C-41), other malware's which i had reversed. You can read my blogs for that.
Now moving on to the Main function.
This function is responsible for the communicating with the Command and Control Server (C2).
What this function does is that it copy the payload from the C&C server (aka C2) and transfer that back into the memory of the infected system.
Dynamic Analysis (Basic)
Dynamic Analysis (Advanced)
Cyber Kill Chain:
Analysis using IDA:
For this analysis using debugging i have setup following breakpoints:
…:- start function
….:- callr_of_main_function function.
…..:- comm_with_C2 function .
As seen from the screenshot above dbg hits at the start function. Then after dbg hits at the “comm_with_C2” function.
Then soon after that dbg hits at the Trap for dbg as the further execution of malicious trojan “Amadey” happen.
Then dbg again hits at the breakpoint “comm_with_C2” function and we can easily see that function “get_system_information” is executed for fetching system information for attacker( aka threat actor).
Indicators of Compromise (IOCs) and Detections
Network [C2 Communications]
Att&ck Mitre Techniques
Sample from Report
Dropped executable file
Mapping Network Traffic via Wire
Amadey Trojan distributed by DPRK-affiliated APT groups
Malicious Word doucments titled "Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc" were…