Andromeda: A Galaxy of Pain, Coming to a Machine Near You

Although Andromeda malware was one of the top spam campaigns of 2016, it actually has a long history. There are many different versions of this malware, which was first discovered in 2011. The majority of variants use myriad infection methods, including malicious attachments, phishing campaigns, warez sites and illegal download sites. Compromised hosts cause victims’ machines to be connected to the Andromeda botnet, giving attackers the ability to push additional malware onto these machines and gain unauthorized backdoor access to an infected system.

A Botnet of Galactic Proportions

Upon execution, the malicious software captures sensitive information such as authentication credentials or downloads and installs additional malicious software, such as form grabbers and rootkits, on the system. Andromeda is an extensively modular bot, and its functions can be widely modified with freely available plugins.

In recent years, the malware’s authors have mainly focused on spreading Andromeda using exploit kits located on compromised websites and advertisement services. These exploit kits are mainly found on untrustworthy sites, such as porn, warez and video streaming sites, but occasionally appear on trusted sites as well. In the most recent version, 2.80, the authors appear to have shifted to a more microscopic approach aimed at the payment card industry.

Andromeda is very flexible and dynamic, and the behavior and functionality of its botnet can be altered using modules. Many plugins, such as keyloggers, form grabbers, rootkits and SOCKS4 proxies, are available. Andromeda uses several RC4 keys to encrypt data for communications with command-and-control (C&C) servers to make tracking and detection difficult. It installs copies of component files instead of copies of itself, which also makes detection much more difficult. Additionally, the malware has anti-sandboxing built in to prevent security researchers from analyzing it.

Infection Vector

In the sample we found and analyzed, the Andromeda malware was mainly pushed to victims through an older phishing campaign that contained Payment Card Industry Data Security Standard (PCI DSS) compliance documents or updates for the customer service systems of the Oracle MICROS PoS suite of back-office systems. The documents contained malicious macros, which are automated scripts that install network backdoor programs to join victims’ computers to the Andromeda botnet when executed.

The computers infected with the Andromeda software are joined to a botnet controlled by central C&C servers, and are capable of acting in concert to conduct distributed denial-of-service (DDoS) attacks or send email with more copies of the malicious software.

In the particular case of the variant we analyzed, the malware also attempted to scrape the random access memory of point-of-sale (PoS) systems. PoS RAM scrapers steal payment data, such as credit card track 1 and track 2 data, from infected systems. PCI DSS requires end-to-end encryption of sensitive payment data when it is transmitted, received or stored; this payment data is decrypted in the PoS system’s RAM for processing. Using regular expression queries, the scraper attempts to harvest the cleartext payment data and send that information to rogue C&C servers.

Mainstream Andromeda Uses

Although Andromeda is just a well-written piece of malware that extensively uses botnet methods, it doesn’t focus on any particular use out of the box. Besides the mainstream Angler, Neutrino and Nuclear exploit kits, we observed that Andromeda focuses largely on PoS malware, such as GamaPOS, Dridex and FastPOS, and remote-access Trojans (RATs) MSIL, Crimson and Python.

Andromeda Interface

The Andromeda interface runs from a PHP page and shows the exact geographical location of each bot.

For Michelle's 4/10 Andromeda blog

Readily Available — for a Price

Many people outside the network security space assume that the Dark Web is the sole purveyor of malware products. In the example shown below, we see one vendor who is selling Andromeda for a very cheap price. We have also been able to retrieve freely available working code packages for multiple versions by simply just searching malware forums on the open internet.

For Michelle's 4/10 Andromeda blog


IBM X-Force is watching Andromeda’s growth and has identified the countries most infected by it. As of April 3, 2017, data from our X-Force Botnet Report showed that this Andromeda has infected more than 26,000 devices, and infection rates are trending upward. The malware continues to morph and add new stealth controls. Current statistics for Andromeda can be found on the IBM X-Force Exchange. X-Force has collected over 600 MD5 hashes and many C&C servers associated with Andromeda.

Detection and Mitigation

Most intrusion detection and prevention systems (IDPS) have some coverage for Andromeda malware. However, IDPS appliances are not designed to replace a robust antivirus solution.

For the most part, Andromeda malware can be stopped as an inbound threat through employee training initiatives that teach safe computing habits and by deploying antiphishing services.

To learn more about responding to threats like the Andromeda malware, watch our on-demand webinar, “Orchestrating Your Incident Response Strategy with IBM X-Force IRIS.”

Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he...