Andromeda Modular Botnet
Andromeda (also known as Win32/Gamarue) is an HTTP-based modular botnet with anti-detection and anti-analysis capabilities. Infection can occur through phishing campaigns, malicious attachments, pirated software or illegal download sites. The botnet was first spotted in late 2011.
Similar to known bots such as ZeuS, Andromeda is also a modular, which means it supports a plug-in interface system and can incorporate various modules, such as:
- Keyloggers
- Form grabbers
- SOCKS4 proxy module
- Rootkits
The malware itself consists of a loader, with functionality provided by modules downloaded from its command and control (C2) server. These freely available plugins have various capabilities, such as key-logging, certificate theft, data exfiltration, backdoor installation and file downloading. This modularity makes Andromeda highly flexible and popular as a delivery mechanism for other malware campaigns.
C2 communications are encrypted using RC4 to make tracking more difficult, and Andromeda installs copies of component files instead of copies of itself to prevent easy detection.
Typically, variants of the Andromeda malware can be bought online for $300-500 US via an underground forum. Prices vary depending on the version of the botnet, and on how much is the customer willing to spend on the different modules that come with it. The most recent version number I have identified is version 2.09.
This Trojan connects to the following possibly malicious URL’s:
- http://{BLOCKED}rph.su/in.php
- http://{BLOCKED}gonzmwuehky.nl/in.php
- http://{BLOCKED}jtvmein.in/in.php
- http://{BLOCKED}ryConvention.ru/new/gate.php
- http://{BLOCKED}amcam.ru/new/gate.php
- http://{BLOCKED}Pod.ru/new/gate.php
- http://{BLOCKED}it.ru/new/gate.php
- http://{BLOCKED}Images.com/new/gate.php
- http://{BLOCKED}rososoft.ru/in.php
- http://{BLOCKED}h.ru/new/gate.php
- http://{BLOCKED}bcgrvkj.ru/in.php
- http://{BLOCKED}ewsqhct.in/in.php
Other URL’s may also be used.
IBM X-Force is watching Andromeda’s growth and has identified the countries most infected by it. As of April 3, 2017, data from X-Force Botnet Report showed that this Andromeda has infected more than 26,000 devices, and infection rates are trending upward
Affected Platforms
Microsoft Windows – All Versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.