Full Report
Hunting rule, patterns and my low-key conspiracy theory
Analysis Summary
# Tool/Technique: Amadey Loader
## Overview
Amadey Loader is a malware primarily functioning as a loader for deploying other malicious payloads, such as information stealers like Lumma Stealer, Redline, and Mystic. Its infrastructure is characterized by specific login page structures, server configurations, and consistent hosting patterns used by threat actors like Secret Blizzard for initial system infiltration, often via phishing campaigns.
## Technical Details
- Type: Malware family
- Platform: Undetermined (Implied Windows via association with common stealers)
- Capabilities: Loading (delivering) secondary malicious payloads via compromised infrastructure.
- First Seen: Not specified in the text, but recent activity is discussed.
## MITRE ATT&CK Mapping
The primary function of Amadey Loader is initial delivery and execution of secondary malware.
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied delivery via malicious files distributed through phishing emails)
- T1074 - Data Staged
- T1074.001 - Data from Local System (The loader prepares to drop payloads)
- T1105 - Ingress Tool Transfer
- (The loader transfers secondary malware shells/droppers)
*(Note: Specific mappings are inferred based on Amadey's function as a loader used in phishing campaigns.)*
## Functionality
### Core Capabilities
- Acts as a dropper/loader for subsequent malware stages, specifically information stealers (Lumma, Redline, Mystic).
- Utilizes infrastructure designed to mimic legitimate or placeholder login pages (e.g., `Login.php`).
- Employs specific resource hash pivoting patterns for infrastructure mapping.
### Advanced Features
- **Infrastructure Mimicry:** Uses consistent directory structures, panel names (e.g., *Jo89Ku7d, CoreOPT*), and naming conventions for its C2/landing pages.
- **Counter-Intelligence Awareness (Inferred):** Threat actors using the infrastructure may actively block enumeration attempts from specific security scanning platforms (Censys, Shodan) based on historical report data.
## Indicators of Compromise
The analysis focused heavily on infrastructure associated with the Amadey login pages.
- **File Hashes:** Not explicitly listed in the summary (the article implies pivoting via resource hash, which is not a file hash itself).
- **File Names (On Server):** `style.css`, `Ico.ico`, `Login.php`
- **Registry Keys:** Not applicable/mentioned.
- **Network Indicators (IPs):**
- 185[.]11[.]61[.]121
- 46[.]173[.]214[.]142
- 46[.]173[.]214[.]136
- 93[.]123[.]109[.]4
- 31[.]41[.]244[.]9
- 31[.]41[.]244[.]11
- 31[.]41[.]244[.]10
- 31[.]41[.]244[.]12
- 185[.]196[.]10[.]34
- 46[.]8[.]229[.]59
- 94[.]103[.]183[.]51
- 154[.]216[.]18[.]105
- 185[.]215[.]113[.]101
- 94[.]103[.]183[.]66
- 80[.]66[.]75[.]214
- 154[.]216[.]20[.]42
- 193[.]176[.]158[.]193 (listed twice)
- 46[.]173[.]214[.]218
- 46[.]173[.]214[.]183
- 194[.]87[.]102[.]61
- 193[.]176[.]190[.]43
- 193[.]242[.]145[.]129
- 15[.]197[.]240[.]20
- 94[.]103[.]183[.]151
- 172[.]67[.]187[.]226
- 45[.]152[.]112[.]146
- 45[.]140[.]19[.]240
- 45[.]152[.]112[.]174
- 193[.]242[.]145[.]116
- 173[.]255[.]204[.]62
- 89[.]35[.]131[.]209
- 104[.]21[.]73[.]229
- 172[.]67[.]167[.]96
- 45[.]156[.]23[.]149
- **Network Indicators (Domains):**
- krakenlpay[.]com/8jfgndS3d/index.php (Example contact)
- 212.193.31[.]8/3ofn3jf3e2ljk2/index.php (Example contact)
- amoamosss[.]com
- bestofthebesttraining[.]com
- brasseriehub[.]com
- brasseriehub2[.]com
- brasseriehub3[.]com
- checkthebestofferyoucanget[.]com
- culinarydownloads[.]com
- downloaddining[.]com
- downloadfilesoft[.]com
- expertbigworldupdate[.]com
- expertbigworldupdate2[.]com
- expertbigworldupdate3[.]com
- fastestfreecdn[.]com
- filesoftdownload[.]com
- getcloudsolutions[.]dev
- innovupdates2[.]com
- innovupdates3[.]com
- kindofwelcomeperspective[.]com
- o7labs[.]top
- platformforcreateinterest[.]com
- pleasurecanbesafe[.]com
- proresupdate[.]com
- resourcedownloadslatin2[.]com
- resourcedownloadslatin3[.]com
- responsibilitybridge[.]com
- ruspyc[.]top
- sanboxland[.]pro
- simple-updatereport[.]com
- theclientisalwaysright[.]com
- tipinfodownload-soft1[.]com
- tipinfodownload-soft2[.]com
- tipinfodownload-soft3[.]com
- **Behavioral Indicators:** Serving specific login pages; utilizing Nginx 1.18.0 on Ubuntu or Apache 2.4.58 servers; consistent hosting resource usage (1/4/10 KB page sizes).
## Associated Threat Actors
- Secret Blizzard
## Detection Methods
- **Signature-based detection:** Can utilize targeted YARA/IOC matching based on known IP/Domain lists.
- **Behavioral detection:** Monitoring for connections to infrastructure hosted on identified Autonomous Systems (AS51381, AS57523, AS216319, AS57678, AS216309) or servers running the specified Nginx/Apache versions hosting this specific login structure.
- **Hunting Rule Example (Elastic/SIEM):**
`page.url.keyword:*\/*\/Login\.php AND (server:"nginx/1.18.0 (Ubuntu)" OR server:"Apache/2.4.58") AND filename:"Style.css" AND filename:"Ico.ico"`
## Mitigation Strategies
- **Prevention Measures:** Blocking the listed domains and IPs at the network perimeter (DNS/Proxy/Firewall).
- **Hardening Recommendations:** Improving email gateway filtering and user training against social engineering tactics often associated with phishing campaigns utilizing Amadey.
## Related Tools/Techniques
- Lumma Stealer (Payload)
- Redline (Payload)
- Mystic (Payload)
- Infrastructure pivot using Resource Hash on platforms like urlscan.io.