Amadey

Try in Splunk Security Cloud

Description

This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-06-16
• Author: Teoderick Contreras, Splunk
• ID: a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c

Narrative

Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.

Detections

Name	Technique	Type
Detect Outlook exe writing a zip file	Phishing, Spearphishing Attachment	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Process Creating LNK file in Suspicious Location	Phishing, Spearphishing Link	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows Files and Dirs Access Rights Modification Via Icacls	Windows File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
Windows ISO LNK File Creation	Spearphishing Attachment, Phishing, Malicious Link, User Execution	Hunting
Windows Powershell RemoteSigned File	PowerShell, Command and Scripting Interpreter	Anomaly

Reference

• https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
• https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities

source | version: 1