Anti-Malware , Ransomware , Technology

Researchers: Andromeda Bust Collared Cybercrime Mastermind

Global Takedown Spearheaded by FBI and Europol Disrupts Massive Botnet
Researchers: Andromeda Bust Collared Cybercrime Mastermind
Workstation of a suspect arrested in connection with Andromeda botnet operations. (Source: Belarus Police)

Police say they have disrupted the long-running Andromeda botnet, aka Gamarue, which has been tied to a massive number of malware attacks, including ransomware campaigns.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

On Wednesday, an international police operation resulted in the seizure of servers and domains used to spread and control Andromeda malware as well as the arrest of an unnamed individual in Belarus who's been accused of being tied to the botnet. Some security researchers believe the individual is the veteran cybercriminal called "Ar3s," aka "the Belarusian."

The EU's law enforcement intelligence agency, Europol, on Monday said that 1,500 command-and-control and malware-distribution domains tied to Andromeda had been sinkholed, meaning they were rerouted to police-controlled servers. Microsoft, which assisted in the takedown, along with security firm ESET, said that in the first 48 hours of the sinkholing, approximately 2 million unique IP addresses - each an Andromeda-infected PC - from 223 countries were detected.

The Andromeda investigation was led by the FBI, working with Luneburg Central Criminal Investigation Inspectorate in Germany, Europol's European Cybercrime Center, the EU's Joint Cybercrime Action Task Force and Eurojust, the EU agency devoted to judicial cooperation in criminal matters.

"This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale," says Steven Wilson, head of Europol's European Cybercrime Center, or EC3. "The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."

Andromeda's global prevalence from May to November. (Source: Microsoft)

Suspect Arrested in Belarus

As part of the Andromeda disruption, police in the Eastern European country of Belarus announced that they arrested a Belarus citizen accused of being part of "an international cybercrime group" that created and distributed malicious software. The date of the suspect's arrest has not been announced.

Police said they worked with the FBI on the investigation and that undercover FBI agents purchased software from the defendant that established his connection to the Andromeda botnet. They said that connection was bolstered by a digital forensic investigation of storage devices seized from the suspect at the time of his arrest.

USB storage devices seized by police in Belarus when they arrested an individual in connection with the Andromeda botnet. (Source: Police in Belarus)

Police in Belarus allege that the suspect received $500 per copy of the Andromeda crimeware toolkit that was sold, as well as $10 for every follow-up malware update provided to buyers.

Based on the information that has been released by authorities, two researchers at cybercrime intelligence provider Recorded Future believe the suspect is "Ar3s," a veteran cybercriminal. "Ar3s is the mastermind behind the Andromeda Trojan and a longstanding administrator of the Damage Lab hacking forum," Recorded Future's Andrei Barysevich and Alexandr Solad write in a report released Tuesday.

"Ar3s ... is one of the most respected and longest-standing members of the hacking community and has operated in the Russian-speaking underground since at least 2004," the researchers say. Other handles used by the suspect have been "Apec" - in Russian - as well as "Ch1t3r." And on cybercrime forums, Ar3s is regularly referred to as "the Belarusian," they say.

"The actor is best known as a developer of the powerful Andromeda bot created in 2011, as well as the Win32/Gamarue HTTP bot," they add. "The actor is also known as the author of the Windows SMTP Bruter v.1.2.3, an SMTP bruteforcing tool, as well as 'Swf-Inj Service' which hijacks web traffic by embedding iFrame malware into SWF - small web format - files."

Malware Distribution Operation

Andromeda was principally designed to distribute other types of malware, and the Andromeda bot was often advertised on cybercrime forums as the Gamarue crimeware toolkit, security researchers at the Microsoft Digital Crimes Unit and Windows Defender Research team say in a blog post.

Microsoft estimates that cybercriminals used Andromeda to distribute 80 malware families and that in the last six months, such malware was detected or blocked on more than 1 million PCs per month.

Top 10 countries with systems that encountered Andromeda/Gamarue from May to November. (Source: Microsoft)

The malware families distributed by Andromeda included Carberp and Ursnif banking Trojans; Fareit and Kasident distributed denial-of-service attack malware; the Fynloski backdoor; as well as Cerber, Petya and Troldesh ransomware, Microsoft says.

Since 2015, ESET - together with Microsoft - has been providing intelligence on Andromeda, which ESET refers to as Wauchos, to authorities. "Wauchos is mostly used to steal credentials, and to download and install additional malware onto a system," ESET researcher Jean-Ian Boutin says in a blog post. "Thus, if a system is compromised with Wauchos, it's likely that there will be several other malware families lurking on the same system."

Modular Capabilities

Gamarue is highly modular, and users can buy add-ons with additional desired capabilities, Microsoft says, including the following functionality:

  • Rootkit (included): Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence;
  • Socks4/5 (included): Turns a victim's PC into a proxy server for serving malware or malicious instructions to other internet-connected PCs;
  • Keylogger ($150): Logs keystrokes and mouse activity to steal usernames and passwords, financial information and more;
  • Formgrabber ($250): Captures any data submitted by a user via Chrome, Firefox or Internet Explorer web browsers;
  • Teamviewer ($250): Remotely controls the victim machine, spy on the desktop and transfer files, among other capabilities;
  • Spreader (price unlisted): Spreads Andromeda malware via removable drives while imbuing the malware with the ability to download updates via domains specified using domain name generation algorithms.

Andromeda was also designed to disable built-in Windows security features. "Gamarue attempts to tamper with the operating systems of infected computers by disabling firewall, Windows Update and user account control functions," Microsoft says. "These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10."

Microsoft Windows firewall and update functionality after being disabled by Avalanche, aka Gamarue.

Lessons Learned From Avalanche

Police say their disruption of Andromeda succeeded thanks, in part, to lessons learned from taking down the Avalanche botnet 12 months ago, which was tied to Andromeda. At the time, police arrested five individuals, physically seized more than three dozen servers tied to Avalanche and took technical steps to prevent repeat attacks.

Europol estimated that infrastructure used to run Avalanche, which was in operation since 2009, every week lobbed more than 1 million emails carrying malicious links or attachments at potential victims.

Late last year, authorities sinkholed all Avalanche infections, which they planned to do for one year. But on Monday, Europol announced that the sinkholing has been extended for another year because "globally 55 percent of the computer systems originally infected [by] Avalanche are still infected today."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.