article featured image


A LockBit 3.0 affiliate is targeting companies with phishing emails, tricking them into installing the Amadey Bot and taking control of their devices.

The attack’s LockBit 3.0 payload is downloaded as a PowerShell script or executable file that runs on the host computer and encrypts files.

What Is the Amadey Bot?

The Amadey Bot malware is an old strain able of performing system reconnaissance, payload loading, and data exfiltration. The activity of this malware started increasing in 2022, after a new version was released in July.

The most recent version improved antivirus detection and auto-avoidance features, making incursions and payload drops more covert.

The more recent attack packs a LockBit 3.0 payload in place of the information-stealing malware that Amadey delivered in the July campaign, such as RedLine.

How Is the Bot Operating?

According to BleepingComputer, security researchers observed two distinct distribution chains, one using a VBA macro inside a Word document, and the other one disguising the malicious executable as a Word file. Typically, the victims would receive emails containing either job application offers or copyright infringement notices, which when accessed would instead install the Amadey Bot into their systems.

In the first instance, in order to run the macro that creates an LNK file and saves it to “C: UsersPublicskem.lnk,” the user must click the “Enable Content” button. This file serves as Amadey’s downloader.

In the second case, which was seen in late October, email attachments containing the file “Resume.exe” (Amadey) are used to deceive recipients into double-clicking.

When launched for the first time, the malware infiltrates the TEMP directory and creates a scheduled task to establish persistence between system reboots. Next, it will connect to the C2, and send the host a profiling report, after which it waits to receive commands.

The three available commands from the C2 server specify whether LockBit should be downloaded and executed in PowerShell (as in “cc.ps1” or “dd.ps1”) or as an executable file (as in “LBB.exe”).

The payloads are dropped in TEMP as one of the following three files:

  • %TEMP%\1000018041\dd.ps1
  • %TEMP%\1000019041\cc.ps1
  • %TEMP%\1000020001\LBB.exe

LockBit would encrypt from there the files of the user and will generate a ransom note demanding payment, threatening to make the stolen files publicly available on the group’s website.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *