Travelling to the far side of Andromeda

J
Jose Miguel Esparza
Travelling to the far side of Andromeda Jose Miguel Esparza
$ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
Evolution of Andromeda  Binary  Plugins  Panel
Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
Evolution of Andromeda
Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
Evolution of Andromeda
Evolution of Andromeda avpui.exe (Kaspersky)
Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
The Dark Side of Andromeda  Who is behind Andromeda?
The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
Interesting use cases
Interesting use cases  Andromeda loving AV industry
Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
malware.dontneedcoffee.com
malware.dontneedcoffee.com
Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf
Thanks!! Jose Miguel Esparza http://eternal-todo.com @EternalTodo
1 of 61

Travelling to the far side of Andromeda

Download to read offline
Internet

Talk about Andromeda at Botconf 2015. Abstract: Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc. This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.

J
Jose Miguel Esparza

Recommended

Sopelka VS Eurograbber - Really 36 million EUR? by
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Jose Miguel Esparza
7.7K views78 slides
Taking the Attacker Eviction Red Pill (v2.0) by
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
19.5K views56 slides
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions by
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
791 views51 slides
Hitbkl 2012 by
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
612 views55 slides
EKFiddle: a framework to study Exploit Kits by
EKFiddle: a framework to study Exploit KitsEKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsJerome Segura
4.6K views35 slides
Thrombus Training Dec. 2013 by
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013CREATIS
723 views30 slides

More Related Content

Similar to Travelling to the far side of Andromeda

Mozilla chirimen firefox os dwika v5 by
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
421 views64 slides
amrapali builders @@ hacking challenges.pdf by
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapalibuildersreviews
292 views23 slides
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12 by
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet
1.7K views31 slides
IPv6 Security Talk mit Joe Klein by
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
758 views35 slides
New Botnets Trends and Threats (BH Europe 2007) by
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
94 views39 slides
Hacking your Droid (Aditya Gupta) by
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
4.6K views63 slides

Similar to Travelling to the far side of Andromeda(20)

Mozilla chirimen firefox os dwika v5 by Dwika Sudrajat
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
Dwika Sudrajat421 views
amrapali builders @@ hacking challenges.pdf by amrapalibuildersreviews
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
amrapalibuildersreviews292 views
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12 by Puppet
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet1.7K views
IPv6 Security Talk mit Joe Klein by Digicomp Academy AG
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG758 views
New Botnets Trends and Threats (BH Europe 2007) by André Fucs de Miranda
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda94 views
Hacking your Droid (Aditya Gupta) by ClubHack
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack4.6K views
Malware cryptomining uploadv3 by Setia Juli Irzal Ismail
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail777 views
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi... by Felipe Prado
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado81 views
Securing your Cloud Environment v2 by ShapeBlue
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue1.3K views
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail by Martin Jirkal
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Martin Jirkal122 views
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle by Peter Kálnai
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Peter Kálnai33 views
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS by MITRE ATT&CK
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK76 views
Zombie browsers spiced with rootkit extensions - DefCamp 2012 by DefCamp
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp847 views
Defcon by OpenDNS
DefconDefcon
Defcon
OpenDNS1.7K views
A Botnet Detecting Infrastructure Using a Beneficial Botnet by Takashi Yamanoue
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
Takashi Yamanoue306 views
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett... by 44CON
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON5.3K views
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ... by Julia Yu-Chin Cheng
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Julia Yu-Chin Cheng1.1K views
Luiz eduardo. introduction to mobile snitch by Yury Chemerkin
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin1.4K views
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality" by StHack
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
StHack 1.6K views
Mono by Yan Drugalya
MonoMono
Mono
Yan Drugalya4.2K views

Recently uploaded

The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
19 views24 slides
ARNAB12.pdf by
ARNAB12.pdfARNAB12.pdf
ARNAB12.pdfArnabChakraborty499766
5 views83 slides
Amine el bouzalimi by
Amine el bouzalimiAmine el bouzalimi
Amine el bouzalimiAmine EL BOUZALIMI
5 views38 slides
cis5-Project-11a-Harry Lai by
cis5-Project-11a-Harry Laicis5-Project-11a-Harry Lai
cis5-Project-11a-Harry Laiharrylai126
9 views11 slides
WITS Deck by
WITS DeckWITS Deck
WITS DeckW.I.T.S.
18 views22 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
11 views36 slides

Recently uploaded(10)

The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh19 views
ARNAB12.pdf by ArnabChakraborty499766
ARNAB12.pdfARNAB12.pdf
ARNAB12.pdf
ArnabChakraborty4997665 views
Amine el bouzalimi by Amine EL BOUZALIMI
Amine el bouzalimiAmine el bouzalimi
Amine el bouzalimi
Amine EL BOUZALIMI5 views
cis5-Project-11a-Harry Lai by harrylai126
cis5-Project-11a-Harry Laicis5-Project-11a-Harry Lai
cis5-Project-11a-Harry Lai
harrylai1269 views
WITS Deck by W.I.T.S.
WITS DeckWITS Deck
WITS Deck
W.I.T.S.18 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire11 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast15 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka20 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze17 views

Travelling to the far side of Andromeda

  • 1. Travelling to the far side of Andromeda Jose Miguel Esparza
  • 2. $ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
  • 3. Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
  • 4. Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
  • 5. Evolution of Andromeda  Binary  Plugins  Panel
  • 6. Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
  • 7. Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
  • 8. Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
  • 10. Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
  • 11. Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
  • 14. Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
  • 15. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
  • 16. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
  • 18. Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
  • 19. Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
  • 21. Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
  • 25. Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
  • 26. Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
  • 27. Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
  • 28. Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
  • 29. Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
  • 30. Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
  • 33. Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
  • 34. The Dark Side of Andromeda  Who is behind Andromeda?
  • 35. The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
  • 36. The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
  • 37. The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
  • 38. The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
  • 39. The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
  • 40. The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
  • 41. The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
  • 48. Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
  • 49. Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
  • 50. Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
  • 51. Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
  • 52. Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
  • 53. Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
  • 55. Interesting use cases  Andromeda loving AV industry
  • 56. Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
  • 59. Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
  • 60. Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf