Andromeda Botnet

Original Issue Date:-March 12, 2018
Type:- Backdoor
Severity:- Medium

It has been reported that the variants of the malware family named as “Andromeda” or “Gamarue” are spreading. The malware mainly targets the windows operating systems to create a network of infected computers that were then becomes the part of Andromeda Botnet. The botnet is then used to distribute other malware families with which Andromeda is associated with. The malware is a modular bot whose functionalities can be modified through plugins for example plugins for keylogger, rootkit, teamviewer, spreader etc. The infection vectors used by malware includes spear phishing emails, drive-by-downlods, Infected cracks or keygens, removable drives, malicious links through Social media (such as Facebook) messages, exploit kits such as Blacole, etc. This botnet has been taken down by the Law Enforcement Agencies along with close cooperation with public, private and government organizations worldwide on 29 November, 2017.

The malware is capable of performing the following functions:

  • Capable of using anti-virtual machine and anti-debugging techniques
  • Capable of creating botnets that may be used as launch pad for further attacks by distributing other malwares such as ransomwares( Petya, Cerber,Troldesh), banking Trojans( Ursnif, Fareit&Carberp), DDos malware(Fareit, Kasidet), spam bot(Cutwail&Lethic) , backdoor etc.
  • It was used as a part of Avalanche botnet.
  • It works as a backdoor that may receive commands from its control server for downloading and executing files, performing remote shells, or uninstalling itself from the system.
  • It resides in memory.
  • Steals sensitive information such as Operating system information, Local IP address, Root volume serial number.

Aliases: Gamarue, Wauchos, Backdoor.Andromeda

Indicators of compromise:

File system changes:

  • %All Users Profile%\Local Settings\Temp\{random}.{random extension}
  • %All Users Profile%\svchost.exe
  • %All Users Profile%\{random}.exe
  • %Program Data%\svchost.exe
  • %User Temp%\{random}.exe

Injects itself into the following processes:

Malware creates a new instance of the below mentioned processes to inject itself.

  • %SystemRoot%\system32\msiexec.exe
  • %SystemRoot%\system32\svchost.exe
  • %SystemRoot%\system32\wuauclt .exe
  • %commonappdata%\mswstxqd.exe
  • %ALLUSERSPROFILE% \mszxurmu.exe

Registry changes:

Registry changes made by the malware are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = "%All Users Profile%\svchost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ Explorer\Run 540 = "%All Users Profile%\Local Settings\Temp\{random}.{random extension}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List {malware path and file name} = "{malware path and file name}:*:Enabled:Marko"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ Explorer\Run 540 = "%All Users Profile%\{random}.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List {malware path and file name} = "{malware path and file name}:*:Enabled:{malware file name}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List %System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List %System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

Network Connections:

Malware connects to the below mentioned domains:

  • {BLOCKED}rph[dot]su/in.php
  • {BLOCKED}gonzmwuehky[dot]nl/in.php
  • {BLOCKED}jtvmein[dot]in/in.php
  • {BLOCKED}ryConvention[dot]ru/new/gate.php
  • {BLOCKED}amcam[dot]ru/new/gate.php
  • {BLOCKED}Pod[dot]ru/new/gate.php
  • {BLOCKED}it[dot]ru/new/gate.php
  • {BLOCKED}Images[dot]com/new/gate.php
  • {BLOCKED}rososoft[dot]ru/in.php
  • {BLOCKED}h[dot]ru/new/gate.php
  • {BLOCKED}bcgrvkj[dot]ru/in.php
  • {BLOCKED}ewsqhct[dot]in/in.php
  • cityhotlove[dot]com
  • clothesshopuppy[dot]com
  • conpastcon[dot]com
  • freefinder[dot]me
  • grrrff24213402[dot]com
  • grrrff2452[dot]com
  • iurhjfnmflsdf[dot]com
  • lanamakotrue[dot]com
  • mgrsdfkprogerg[dot]com
  • pastinwest[dot]com
  • puppyclothesshop1[dot]net
  • puppyclothesshop2[dot]net

Countermeasures:

  • Users are advised to visit “Cyber Swachhta Kendra” for advise on disinfecting their systems. Visit www.cyberswachhtakendra.gov.in
  • Delete the system changes made by the malware such as files created/ registry entries /services etc.
  • Monitor traffic generated from client machines to the domains and IP address mentioned in Installation section.
  • Avoid downloading pirated software.
  • Protect yourself from social engineering attacks.
  • Scan infected system with updated versions of Antivirus solution
  • Disable Autorun and Autoplay policies.
  • Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators
  • Do not visit untrusted websites.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstation.
  • Disable unnecessary services on agency workstations and servers.
  • Always change Default login credentials before deployment in production.

References