Malware, Threat Intelligence, DevSecOps

Ameday campaign used GitLab server to retrieve StealC infostealer

The Amadey malware loader was used to retrieve the StealC infostealer from a compromised self-hosted GitLab instance in a recent campaign uncovered by Trellix.

The campaign targeted browser credentials and cryptocurrency transactions, achieving the latter through a DLL plugin that replaces cryptocurrency wallets in the user’s clipboard with the attacker’s own wallet.

The GitLab instance hosting the StealC payload is hosted at bzctoons[.]net, a domain that was first registered in 2003. The user account that created the malicious repository was created in 2018, but the repo containing StealC was only created within days of Trellix’s discovery, the researchers noted.

“Overall, the domain appears to belong to a small-scale organization hosting GitLab with multiple users. Evidence suggests that either the user account or the entire infrastructure has been compromised,” Trellix said in its blog post published Thursday.

Amadey, a loader that has been active since 2018, is previously known to retrieve its payloads from GitHub repos. In this case, the attackers take advantage of the self-hosted instance’s longstanding domain to help evade detection and avoid potential takedowns by GitHub.


Related reading:


The Amadey loader in this campaign was installed with the file name "Yfgfwb.exe" and deployed an anti-duplication mutex that was also noted to be used as the RC4 encryption key for the loader’s command-and-control (C2) communications.

Amadey additionally uses a modified base64 algorithm to encode strings, which replaces the standard base character set with a custom character set. Trellix’s blog post includes an IDAPython script to help analysts easily decode Amadey base64-encoded strings.

The loader always copies and relaunches itself from the AppData folder and uses scheduled tasks and job files to establish persistence. It attempts to detect specific antivirus software solutions, such as AVAST, ESET, BitDefender and Norton, and tailors its behavior depending on the solutions identified.

Amadey sends the victim’s system information to the attacker’s C2 server, from which it can also receive commands to load Amadey plugins, such as the crypto clipper plugin, deploy additional payloads, perform process injections and conduct additional system reconnaissance, according to Trellix.



It retrieves the StealC infostealer, which targets Google Chrome and Microsoft Edge credentials, from the compromised GitLab instance and StealC then exfiltrates the stolen credentials to a separate C2 server.

Trellix recommended operators of self-hosted development infrastructure, such as self-hosted GitLab instances, regularly audit this infrastructure for inactive accounts and unusual activity.

“Behavioral detection for process chains involving rundll32 and PowerShell can help identify loader activity, while network segmentation can limit the impact of compromised development servers,” the blog post stated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds