Skip to main content

The Andromeda botnet still lingers as nations struggle to clean infected PCs

A recent threat landscape report published by Fortinet suggests that although the FBI and European law enforcement ended the Andromeda botnet’s reign in late 2017, there are still systems infected with the malware. The firm indicates that the process of cleaning up the infected PCs isn’t progressing at the same pace across regions, as it’s still a large problem in Africa, Asia, and the Middle East.

At its core, Andromeda — or rather Gamarue —  is a platform to deliver a galaxy of malware variants (actually just a mere 80) including ransomware, banking trojans, spam bots, click-fraud malware and more. Between June 2017 and its supposed demise before the start of 2018, Andromeda was on a roll, as it was detected and blocked on more than 1 million machines each month on average.

According to Microsoft, the Andromeda command and control structure spanned 1,214 domains and IP addresses. It also comprised of 464 “distinct” botnets as well as the 80-plus associated malware families. Andromeda was sold on the black market as a “crime kit” that included a bot builder, a command-and-control application, and documentation on how to create a botnet.

What made Andromeda an extremity attractive sell was its modular nature. The kit came with two plug-ins, one of which could turn a PC into a proxy server. For an additional $150, hackers could purchase the keylogger plug-in or grab the Formgetter plug-in for another $250, which captured data submitted through web browsers.

Hackers spread Andromeda through various methods such as social media messages with malicious links, spam email with similar links, trojan downloaders and more. Once it infected a machine, Andromeda contacted a command and control server to become part of a larger network of infected PCs. Once that happened, hackers could do anything with the seized army of machines.

But as the report indicates, getting rid of Andromeda is no simple feat. In Africa alone, Andromeda has the highest prevalence with 25.6 percent followed by the H-worm at 13.8 percent and Ramnit at 10.07 percent. Andromeda tops the charts in Asia followed by Ramnit (9.83 percent) and the H-worm (7.4 percent).

The report suggests that problem with these high percentages is likely tied to the response and remediation capabilities of these countries.

Outside noting the slow progression of cleaning up the Andromeda debris, the report tips its hat at VPNFilter, a Russian-developed nation-state-sponsored attack that targets networking routers. The FBI previously distributed a warning to U.S. citizens, calling on Americans to reboot their routers to cut off possible ties to the malware’s command and control servers.

The report also calls the Smominru botnet a “notable addition,” a Monero mining malware targeting Windows-based PCs. It was spread through the EternalBlue exploit, and as a botnet mined around 24 XMR each day. As of this publication, the value of a single XMR was $81, meaning the hackers were generating around $1,944 per day.

Other botnets that are permanent fixtures on the firm’s Threat Landscape Report each month include Gh0st, Pushdo, Necurs, and three others.

Editors' Recommendations