Full Report
Amadey, an established malware loader active since at least 2018, was observed downloading second-stage payloads from a hijacked self-hosted GitLab instance hosted on gitlab[.]bzctoons[.]net. The infrastructure appears to belong to a legitimate organization, with evidence sugg...
Analysis Summary
# Tool/Technique: Amadey Loader
## Overview
Amadey is an established malware loader, active since at least 2018, responsible for downloading and executing second-stage malware payloads. In the observed campaign, it was used to fetch the StealC infostealer from a compromised self-hosted GitLab instance.
## Technical Details
- Type: Malware family (Loader)
- Platform: Windows
- Capabilities: Downloading secondary payloads, process injection/spawning, execution control via mutex, persistence via scheduled tasks, string obfuscation.
- First Seen: At least 2018
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (Implied delivery mechanism)
- T1078 - Valid Accounts (Implied compromise of GitLab user/environment)
- TA0002 - Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1218 - Signed Binary Proxy Execution
- T1218.011 - System Binary Proxy Execution: Rundll32
- TA0003 - Persistence
- T1053.005 - Scheduled Task/Job
- TA0005 - Defense Evasion
- T1036 - Masquerading
- T1036.005 - Process Masquerading (Implied via child process activity)
## Functionality
### Core Capabilities
- Downloading second-stage payloads from a compromised infrastructure (specifically a hijacked GitLab instance: `gitlab[.]bzctoons[.]net`).
- Enforcing single execution control using a mutex.
- Relocating its binary (`Yfgfwb.exe`) to a temporary directory upon execution.
- Establishing persistence via creation of scheduled tasks.
### Advanced Features
- String and C2 communication obfuscation using a combination of custom Base64 encoding and RC4 encryption.
- Spawning multiple child processes in parallel to execute functions:
- Spawning `rundll32.exe` to load a clipper plugin.
- Spawning `powershell.exe` for archive extraction.
- Direct execution of the StealC infostealer (`x64_protect.exe`).
## Indicators of Compromise
- File Hashes: N/A (Not provided in context)
- File Names: `Yfgfwb.exe` (Amadey loader), `x64_protect.exe` (StealC payload)
- Registry Keys: N/A (Persistence via scheduled tasks referenced)
- Network Indicators: `gitlab[.]bzctoons[.]net` (C2/Payload hosting infrastructure)
- Behavioral Indicators: Mutex usage, creation of scheduled tasks, spawning child processes (`rundll32.exe`, `powershell.exe`) followed by execution of StealC.
## Associated Threat Actors
Unknown (The article context only specifies the campaign type, not the actor group).
## Detection Methods
- Signature-based detection for known Amadey file names or hardcoded configuration values (mutex name, decryption key if known).
- Behavioral detection focusing on executables creating scheduled tasks for persistence or utilizing RC4/Base64 decoding routines to decrypt strings at runtime.
- Monitoring child processes initiated by the loader, especially the execution involving `rundll32.exe` loading plugins or use of `powershell.exe` for extraction.
## Mitigation Strategies
- Strict network segmentation and egress filtering to prevent communication with known malicious infrastructure.
- Patching and securing self-hosted services, particularly source code repositories like GitLab, to prevent account compromise or exploitation leading to infrastructure hijacking.
- Application whitelisting to restrict execution of unknown binaries from temporary directories.
## Related Tools/Techniques
- StealC Infostealer (Secondary payload delivered by Amadey).