Although Andromeda malware was one of the top spam campaigns of 2016, it actually has a long history. There are many different versions of this malware, which was first discovered in 2011. The majority of variants use myriad infection methods, including malicious attachments, phishing campaigns, warez sites and illegal download sites. Compromised hosts cause victims’ machines to be connected to the Andromeda botnet, giving attackers the ability to push additional malware onto these machines and gain unauthorized backdoor access to an infected system.

A Botnet of Galactic Proportions

Upon execution, the malicious software captures sensitive information such as authentication credentials or downloads and installs additional malicious software, such as form grabbers and rootkits, on the system. Andromeda is an extensively modular bot, and its functions can be widely modified with freely available plugins.

In recent years, the malware’s authors have mainly focused on spreading Andromeda using exploit kits located on compromised websites and advertisement services. These exploit kits are mainly found on untrustworthy sites, such as porn, warez and video streaming sites, but occasionally appear on trusted sites as well. In the most recent version, 2.80, the authors appear to have shifted to a more microscopic approach aimed at the payment card industry.

Andromeda is very flexible and dynamic, and the behavior and functionality of its botnet can be altered using modules. Many plugins, such as keyloggers, form grabbers, rootkits and SOCKS4 proxies, are available. Andromeda uses several RC4 keys to encrypt data for communications with command-and-control (C&C) servers to make tracking and detection difficult. It installs copies of component files instead of copies of itself, which also makes detection much more difficult. Additionally, the malware has anti-sandboxing built in to prevent security researchers from analyzing it.

Infection Vector

In the sample we found and analyzed, the Andromeda malware was mainly pushed to victims through an older phishing campaign that contained Payment Card Industry Data Security Standard (PCI DSS) compliance documents or updates for the customer service systems of the Oracle MICROS PoS suite of back-office systems. The documents contained malicious macros, which are automated scripts that install network backdoor programs to join victims’ computers to the Andromeda botnet when executed.

The computers infected with the Andromeda software are joined to a botnet controlled by central C&C servers, and are capable of acting in concert to conduct distributed denial-of-service (DDoS) attacks or send email with more copies of the malicious software.

In the particular case of the variant we analyzed, the malware also attempted to scrape the random access memory of point-of-sale (PoS) systems. PoS RAM scrapers steal payment data, such as credit card track 1 and track 2 data, from infected systems. PCI DSS requires end-to-end encryption of sensitive payment data when it is transmitted, received or stored; this payment data is decrypted in the PoS system’s RAM for processing. Using regular expression queries, the scraper attempts to harvest the cleartext payment data and send that information to rogue C&C servers.

Mainstream Andromeda Uses

Although Andromeda is just a well-written piece of malware that extensively uses botnet methods, it doesn’t focus on any particular use out of the box. Besides the mainstream Angler, Neutrino and Nuclear exploit kits, we observed that Andromeda focuses largely on PoS malware, such as GamaPOS, Dridex and FastPOS, and remote-access Trojans (RATs) MSIL, Crimson and Python.

Andromeda Interface

The Andromeda interface runs from a PHP page and shows the exact geographical location of each bot.

Readily Available — for a Price

Many people outside the network security space assume that the Dark Web is the sole purveyor of malware products. In the example shown below, we see one vendor who is selling Andromeda for a very cheap price. We have also been able to retrieve freely available working code packages for multiple versions by simply just searching malware forums on the open internet.


Distribution

IBM X-Force is watching Andromeda’s growth and has identified the countries most infected by it. As of April 3, 2017, data from our X-Force Botnet Report showed that this Andromeda has infected more than 26,000 devices, and infection rates are trending upward. The malware continues to morph and add new stealth controls. Current statistics for Andromeda can be found on the IBM X-Force Exchange. X-Force has collected over 600 MD5 hashes and many C&C servers associated with Andromeda.

Detection and Mitigation

Most intrusion detection and prevention systems (IDPS) have some coverage for Andromeda malware. However, IDPS appliances are not designed to replace a robust antivirus solution.

For the most part, Andromeda malware can be stopped as an inbound threat through employee training initiatives that teach safe computing habits and by deploying antiphishing services.

To learn more about responding to threats like the Andromeda malware, watch our on-demand webinar, “Orchestrating Your Incident Response Strategy with IBM X-Force IRIS.”

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…