What is Andromeda? Global law enforcement agencies take down botnet linked to 80 malware families
Over the past six months, the Andromeda botnet has been detected or blocked on an average of nearly 1.1 million machines a month.
A group of global law enforcement agencies has taken down the massive Andromeda malware botnet that has been active since 2011 and arrested a suspect in Belarus.
Europol announced on Monday (4 December) that an international coalition including the FBI, Germany's Luneburg Central Criminal Investigation Inspectorate, Eurojust and private firms such as Microsoft and ESET dismantled Andromeda — one of the longest running malware families in existence.
Developed in September 2011, the widespread botnet also known as Gamarue or Wauchos has been advertised in underground forums on the Dark Web as a crime kit allowing any hacker to purchase a "piece". Ensnaring computers across the globe, its main goal was to distribute other malware families, according to Microsoft.
Andromeda has been associated with 80 malware families. Over the past six months, it has been detected or blocked on an average of nearly 1.1 million machines a month.
"Wauchos is mostly used to steal credentials and to download and install additional malware onto a system. Thus, if a system is compromised with Wauchos, it's likely that there will be several other malware families lurking on the same system," ESET researcher Jean-Ian Boutin said.
Andromeda is a customizable bot that allowed the owner to create and use custom plugins, ESET said. One plugin allowed a threat actor to steal content entered by users in web forms. Another allowed a hacker to connect back and control a compromised system. Due to its popularity, many independent Gamarue botnets have been found in the wild that are distributed via social media, instant messaging, spam, exploit kits and more.
"In the past, Wauchos has been the most detected malware family amongst ESET users, so when we were approached by Microsoft to take part in a joint disruption effort against it, to better protect our users and the general public at large, it was a no-brainer to agree," ESET senior malware researcher Jean-Ian Boutin, Senior Malware Researcher said. "This particular threat has been around for several years now and it is constantly reinventing itself – which can make it hard to monitor.
"We have been able to keep track of changes in the malware's behaviour and consequently provide actionable data which has proven invaluable in these takedown efforts."
The takedown of the malicious botnet comes a little more than a year after authorities dismantled the international cybercrime network Avalanche on 30 November 2016 that was used to launch and manage mass global malware attacks such as Andromeda as well as money mule recruitment campaigns.
"Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year's investigations to dismantle the Andromeda malware last week," Europol said.
More than 1,500 malicious domains used to control the botnet were subject to sinkholing and all traffic from infected computers were rerouted to less dangerous sites. During 48 hours of sinkholing, the coalition captured 2 million IP addresses from 223 countries attempting to contact the botnet's C&C servers.
Europol said a suspect had been arrested in Belarus but did not mention any additional details.
"This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale," Steven Wilson, head of Europol's European Cybercrime Centre, said in a statement. "The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."