Although Andromeda malware was one of the top spam campaigns of 2016, it actually has a long history. There are many different versions of this malware, which was first discovered in 2011. The majority of variants use myriad infection methods, including malicious attachments, phishing campaigns, warez sites and illegal download sites. Compromised hosts cause victims’ machines to be connected to the Andromeda botnet, giving attackers the ability to push additional malware onto these machines and gain unauthorized backdoor access to an infected system.

A Botnet of Galactic Proportions

Upon execution, the malicious software captures sensitive information such as authentication credentials or downloads and installs additional malicious software, such as form grabbers and rootkits, on the system. Andromeda is an extensively modular bot, and its functions can be widely modified with freely available plugins.

In recent years, the malware’s authors have mainly focused on spreading Andromeda using exploit kits located on compromised websites and advertisement services. These exploit kits are mainly found on untrustworthy sites, such as porn, warez and video streaming sites, but occasionally appear on trusted sites as well. In the most recent version, 2.80, the authors appear to have shifted to a more microscopic approach aimed at the payment card industry.

Andromeda is very flexible and dynamic, and the behavior and functionality of its botnet can be altered using modules. Many plugins, such as keyloggers, form grabbers, rootkits and SOCKS4 proxies, are available. Andromeda uses several RC4 keys to encrypt data for communications with command-and-control (C&C) servers to make tracking and detection difficult. It installs copies of component files instead of copies of itself, which also makes detection much more difficult. Additionally, the malware has anti-sandboxing built in to prevent security researchers from analyzing it.

Infection Vector

In the sample we found and analyzed, the Andromeda malware was mainly pushed to victims through an older phishing campaign that contained Payment Card Industry Data Security Standard (PCI DSS) compliance documents or updates for the customer service systems of the Oracle MICROS PoS suite of back-office systems. The documents contained malicious macros, which are automated scripts that install network backdoor programs to join victims’ computers to the Andromeda botnet when executed.

The computers infected with the Andromeda software are joined to a botnet controlled by central C&C servers, and are capable of acting in concert to conduct distributed denial-of-service (DDoS) attacks or send email with more copies of the malicious software.

In the particular case of the variant we analyzed, the malware also attempted to scrape the random access memory of point-of-sale (PoS) systems. PoS RAM scrapers steal payment data, such as credit card track 1 and track 2 data, from infected systems. PCI DSS requires end-to-end encryption of sensitive payment data when it is transmitted, received or stored; this payment data is decrypted in the PoS system’s RAM for processing. Using regular expression queries, the scraper attempts to harvest the cleartext payment data and send that information to rogue C&C servers.

Mainstream Andromeda Uses

Although Andromeda is just a well-written piece of malware that extensively uses botnet methods, it doesn’t focus on any particular use out of the box. Besides the mainstream Angler, Neutrino and Nuclear exploit kits, we observed that Andromeda focuses largely on PoS malware, such as GamaPOS, Dridex and FastPOS, and remote-access Trojans (RATs) MSIL, Crimson and Python.

Andromeda Interface

The Andromeda interface runs from a PHP page and shows the exact geographical location of each bot.

Readily Available — for a Price

Many people outside the network security space assume that the Dark Web is the sole purveyor of malware products. In the example shown below, we see one vendor who is selling Andromeda for a very cheap price. We have also been able to retrieve freely available working code packages for multiple versions by simply just searching malware forums on the open internet.


IBM X-Force is watching Andromeda’s growth and has identified the countries most infected by it. As of April 3, 2017, data from our X-Force Botnet Report showed that this Andromeda has infected more than 26,000 devices, and infection rates are trending upward. The malware continues to morph and add new stealth controls. Current statistics for Andromeda can be found on the IBM X-Force Exchange. X-Force has collected over 600 MD5 hashes and many C&C servers associated with Andromeda.

Detection and Mitigation

Most intrusion detection and prevention systems (IDPS) have some coverage for Andromeda malware. However, IDPS appliances are not designed to replace a robust antivirus solution.

For the most part, Andromeda malware can be stopped as an inbound threat through employee training initiatives that teach safe computing habits and by deploying antiphishing services.

To learn more about responding to threats like the Andromeda malware, watch our on-demand webinar, “Orchestrating Your Incident Response Strategy with IBM X-Force IRIS.”

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today