FBI finally shuts down Andromeda botnet

Law enforcement stops Gamarue distribution via Andromeda botnet with the help of Microsoft team

On December 4, Microsoft has finally announced that FBI and other law enforcement agencies have stopped the distribution of Gamarue which was actively spreading via Andromeda botnet. This network of infected computers is infamous for its extensive running time — it is linked to more than 80 distinct malware families, such as Cerber or Petya^[1].

During the past six months, Win32/Gamarue showed no signs of slowing down and the majority of the victims came from Asian countries:

• India;
• Indonesia;
• Turkey;
• Philippines;
• Mexico, and many other.

The chief of European Cybercrime center, Steve Wilson has said the following^[2]:

“This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale.”

Microsoft has significantly contributed to the Gamarue shutdown — it has come into a close collaboration with researchers of ESET and began to analyze more than 44 000 malware samples in December 2015. They have discovered approximately 1 214 IP addresses and domains of the command-and-control servers together with 464 distinct botnets^[3].

Hackers can purchase Gamarue crime kit in the underground market

Researchers have found out that Gamarue malware is offered as Andromeda bot in the underground market. The so-called crime kit includes the bot-builder, C&C (Command-and-control) tool, and a guide on how to create the botnet. Once a malevolent person purchases the package, he or she can run the infected machines.

Additionally, crooks can buy specific plug-ins to improve the Gamarue malware for particular features. For example, hackers offer to get a keylogger extension for $150 to record and steal credentials on the infected computer. Note that there are similar tools such as Teamviewer or Formgrabber for $250 which allow the attacker to remotely control the corrupted system and hijack Google Chrome, Internet Explorer, Mozilla Firefox, and other browsers.

Since 2011, experts have gathered information about the techniques which were employed to distribute Gamarue. The most popular ones are malicious messages sent through hacked social media accounts, spam emails, and drive-by downloads^[4]. Likewise, the victims usually encounter a text with an infected link which leads them to the pages hosting malware.

Once the PC is infected, it connects to the command-and-control server to join the Andromeda botnet and distribute other high-risk computer infections. Note that additionally, Gamarue can steal valuable information from the targeted devices and lead to severe financial losses.

FBI caught a Belarusian man who is considered to be the developer of Andromeda

Experts have reported that Gamarue malware will not proceed to the further malicious activity if it detects the following language on the computer:

• Ukrainian;
• Russian;
• Kazakh;
• Belarusian.

Additionally, during the operation, law enforcement has arrested a man in Belarus which might be the leader in Andromeda cybercrime gang. It is clear that there are other associates who might be from the countries mentioned above as well.

Steve Wilson from Europol says that:

“The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”

With the help of cybersecurity researchers, Europol has managed to shut down seven chief C&C servers which were used to monitor the Gamarue botnet. At the moment, approximately 2 million IP addresses in 223 different countries are found to be associated with Andromeda^[5].