Security News > 2022 > November > LockBit affiliate uses Amadey Bot malware to deploy ransomware
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.
The Amadey Bot malware is an old strain capable of performing system reconnaissance, data exfiltration, and payload loading.
Korean researchers at AhnLab have noticed increased Amadey Bot activity in 2022 and reported finding a new version of the malware in July, dropped via SmokeLoader.
In the July campaign, Amadey dropped various information-stealing malware, such as RedLine, but the more recent campaign loads a LockBit 3.0 payload instead. Infection chains.
The second case, seen in late October, uses email attachments with a file named "Resume.exe" that uses a Word document icon, tricking recipients into double-clicking.
In September 2022, AnhLab observed another two methods of LockBit 3.0 distribution, one using DOTM documents with malicious VBA macro and one dropping ZIP files containing the malware in NSIS format.