You are here:
  1. Home
  2. Cyber Security
  3. Understanding Botnets and Their Threats: How Amadey and Other Malware Hijack Computers for Cybercrime

February 24, 2024

Understanding Botnets and Their Threats: How Amadey and Other Malware Hijack Computers for Cybercrime

Designer (5)

Botnets are networks of compromised computers that are controlled by hackers for various malicious purposes. Botnets can be used to launch large-scale attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, ransomware infections, and more. In this blog post, we will explain what botnets are, how they are created, managed, and utilized for cybercrime, using Amadey as a prime example. We will also discuss how to detect and prevent botnet infections, and how to protect yourself from botnet attacks.

What are botnets and how do they work?

A botnet is a collection of networked devices that are infected with malware and hijacked by hackers. The term “botnet” comes from the words “robot” and “network”. The devices that are part of a botnet are called “bots” or “zombies”, and they can include computers, smartphones, routers, IoT devices, and more. The hackers that control the botnet are called “botmasters” or “bot-herders”, and they can use various methods to communicate with the bots, such as command and control (C2) servers, peer-to-peer (P2P) networks, or social media platforms.

How Botnets Are Created:

  • Infection Phase: The infection phase is the first step in creating a botnet. The attacker tries to infect as many devices as possible with malware that can turn them into bots. The malware can be delivered through different methods, such as:
    • Phishing emails: These are emails that pretend to be from a legitimate source, such as a bank or a social media platform, and ask the user to click on a link or open an attachment that contains malware. For example, the Emotet botnet used phishing emails that looked like invoices, shipping notifications, or COVID-19 updates to trick users into downloading malicious files .
    • Malicious websites: These are websites that host malware or redirect users to malware-infected sites. The user may visit these websites by clicking on malicious links, ads, or pop-ups, or by mistyping a legitimate URL. For example, the Mirai botnet used malicious websites that exploited vulnerabilities in web browsers and plugins to infect devices .
    • Exploiting vulnerabilities: These are flaws or weaknesses in software or hardware that can allow an attacker to execute malicious code or commands on a device. The attacker may scan the internet for devices that have unpatched or outdated software or firmware, and then exploit the vulnerabilities to install malware. For example, the VPNFilter botnet used exploits for routers and network-attached storage devices to infect them with malware .
    • Other malware distribution channels: These are other ways that malware can spread from one device to another, such as through removable media, peer-to-peer networks, or social engineering. For example, the Stuxnet botnet used USB drives and network shares to infect devices with malware .
  • Control Phase: The control phase is the second step in creating a botnet. The attacker tries to establish and maintain a connection between the infected devices and a command-and-control (C&C) server. The C&C server is the central point of communication and coordination for the botnet. The attacker can use the C&C server to send commands, updates, or instructions to the bots, and to receive information, data, or feedback from them. The C&C server can be implemented in different ways, such as:
    • Centralized C&C server: This is a single server or a small number of servers that control the entire botnet. The advantage of this method is that it is simple and efficient, but the disadvantage is that it is vulnerable to detection and disruption. For example, the Zeus botnet used a centralized C&C server that was hosted on a domain name that changed periodically to evade security measures .
    • Decentralized C&C server: This is a network of servers or devices that control the botnet in a distributed manner. The advantage of this method is that it is resilient and scalable, but the disadvantage is that it is complex and costly. For example, the Storm botnet used a decentralized C&C server that was based on a peer-to-peer (P2P) network, where each bot could act as a server or a client .
    • Hybrid C&C server: This is a combination of centralized and decentralized C&C servers that control the botnet in a flexible and adaptive manner. The advantage of this method is that it is robust and versatile, but the disadvantage is that it is challenging and sophisticated. For example, the Conficker botnet used a hybrid C&C server that used both domain names and P2P networks to communicate with the bots .
  • Assembly Phase: The assembly phase is the third step in creating a botnet. The attacker tries to expand and optimize the botnet by infecting more devices and improving the performance and functionality of the bots. The attacker can use different techniques to achieve this, such as:
    • Self-propagation: This is the ability of the malware to spread itself to other devices without the user’s intervention or awareness. The malware can use various methods to self-propagate, such as scanning the internet for vulnerable devices, exploiting network protocols or services, or copying itself to removable media or network shares. For example, the Sality botnet used self-propagation to infect devices by exploiting a vulnerability in the Windows Autorun feature .
    • Self-updating: This is the ability of the malware to update itself with new or modified code or features. The malware can use various methods to self-update, such as downloading patches or modules from the C&C server, exchanging code or data with other bots, or generating code or data dynamically. For example, the TDL botnet used self-updating to infect devices with a rootkit that could hide itself from antivirus software and modify its behavior .
    • Self-defense: This is the ability of the malware to protect itself from detection or removal. The malware can use various methods to self-defend, such as encrypting or obfuscating its code or data, disabling or evading security software or tools, or deleting or modifying system files or settings. For example, the ZeroAccess botnet used self-defense to infect devices with a kernel-mode rootkit that could prevent its deletion and block access to security websites .

How Botnets Work:

Botnets can be used for a variety of malicious purposes, including but not limited to:

  • Distributed Denial of Service (DDoS) Attacks: A DDoS attack is a cyberattack that aims to disrupt the normal functioning of a website, server, or network by flooding it with malicious traffic. The attacker uses a botnet, which is a network of compromised devices that are controlled remotely, to send a large number of requests to the target simultaneously. The target cannot handle the overwhelming amount of requests, and either slows down or crashes, preventing legitimate users from accessing it. A DDoS attack can cause financial losses, reputational damage, and operational disruption for the target. For example, in 2016, a botnet called Mirai launched a massive DDoS attack against Dyn, a DNS provider, affecting many popular websites such as Twitter, Netflix, and Reddit .
  • Spamming: Spamming is the practice of sending unsolicited and unwanted messages, usually via email, to a large number of recipients. The attacker uses a botnet, which is a network of compromised devices that are controlled remotely, to send out spam emails. The spam emails can contain advertisements, scams, malware, or phishing links. The attacker can benefit from spamming by generating revenue from clicks, selling products or services, stealing information, or infecting more devices. For example, in 2010, a botnet called Cutwail was responsible for sending out billions of spam emails per day, accounting for 15% of the global spam volume .
  • Data Theft: Data theft is the act of stealing sensitive or valuable information from a computer, device, or network. The attacker uses a botnet, which is a network of compromised devices that are controlled remotely, to harvest data from the infected devices. The data can include personal information, financial information, login credentials, intellectual property, or trade secrets. The attacker can use the data for identity theft, fraud, extortion, blackmail, or espionage. For example, in 2014, a botnet called Gameover Zeus was used to steal over $100 million from bank accounts, by using a malware called CryptoLocker to encrypt the victims’ files and demand ransom for decryption .
  • Cryptocurrency Mining: Cryptocurrency mining is the process of using computational power to solve complex mathematical problems and verify transactions on a blockchain network, in exchange for a reward in the form of cryptocurrency. The attacker uses a botnet, which is a network of compromised devices that are controlled remotely, to mine cryptocurrency without the users’ consent or knowledge. The attacker can benefit from cryptocurrency mining by generating income from the rewards, while the users suffer from reduced performance, increased power consumption, and potential damage to their devices. For example, in 2018, a botnet called Smominru was used to mine over $3 million worth of Monero, a cryptocurrency that is known for its anonymity and privacy features .
  • Malware Distribution: Malware distribution is the act of spreading malicious software to other computers, devices, or networks. The attacker uses a botnet, which is a network of compromised devices that are controlled remotely, to distribute malware to other devices. The malware can have various functions, such as stealing data, encrypting files, displaying ads, spying on users, or creating backdoors. The attacker can use malware distribution to infect more devices, expand their botnet, or launch other cyberattacks. For example, in 2017, a botnet called Necurs was used to distribute a ransomware called Locky, which encrypted the victims’ files and demanded payment for decryption .

What is Amadey and what types of attacks does it enable?

Amadey is a malware family that was first discovered in 2018 and has been used to create and manage botnets. Amadey is a simple and modular Trojan that can download and execute additional malware or plugins from a C2 server. Amadey is sold as a malware-as-a-service (MaaS) platform, meaning that hackers can rent or buy access to the botnet and use it for their own purposes. Amadey has been used by multiple threat actors to enable various types of attacks, such as:

  • DDoS attacks: Amadey has been used to launch DDoS attacks against various targets, such as gaming servers, online casinos, or cryptocurrency exchanges. Amadey can download and execute a DDoS plugin that can generate and send traffic to the target using various protocols, such as HTTP, UDP, or TCP.
  • Spam campaigns: Amadey has been used to send spam emails or messages to various recipients, usually for phishing or malware distribution purposes. Amadey can download and execute a spam plugin that can send emails or messages using various services, such as SMTP, Telegram, or WhatsApp.
  • Ransomware infections: Amadey has been used to distribute ransomware to various targets, such as individuals, businesses, or organizations. Amadey can download and execute a ransomware payload that can encrypt the files or systems of the victims and demand a ransom for their decryption. Some of the ransomware families that have been distributed by Amadey are Stop, Dharma, and Phobos.
  • Information theft: Amadey has been used to steal information from the infected devices, such as credentials, browser data, cryptocurrency wallets, or system information. Amadey can download and execute an information stealer payload that can collect and exfiltrate data from various applications, such as browsers, FTP clients, or email clients. Some of the information stealer families that have been distributed by Amadey are Redline, Vidar, and SmokeLoader.

Amadey is written in C++ and uses various techniques to evade detection and analysis, such as obfuscation, encryption, anti-sandbox, anti-debug, and anti-VM. Amadey also uses various methods to achieve persistence and communication, such as registry keys, scheduled tasks, or HTTP requests. Amadey is usually delivered by exploit kits, such as Rig or Fallout, or by phishing emails or messages. 

At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.

Facebook
Twitter
LinkedIn

Related articles...

More articles