SlideShare a Scribd company logo

Travelling to the far side of Andromeda

J
Jose Miguel Esparza

Talk about Andromeda at Botconf 2015. Abstract: Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc. This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.

Internet
1 of 61
Download to read offline
Travelling to the far side of Andromeda Jose Miguel Esparza
$ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
Evolution of Andromeda  Binary  Plugins  Panel
Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
Evolution of Andromeda
Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
Evolution of Andromeda
Evolution of Andromeda avpui.exe (Kaspersky)
Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
The Dark Side of Andromeda  Who is behind Andromeda?
The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
Interesting use cases
Interesting use cases  Andromeda loving AV industry
Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
malware.dontneedcoffee.com
malware.dontneedcoffee.com
Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf
Thanks!! Jose Miguel Esparza http://eternal-todo.com @EternalTodo

Recommended

Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?
Jose Miguel Esparza
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
Frode Hommedal
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
F _
 
EKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsEKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit Kits
Jerome Segura
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013
CREATIS
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eric Vanderburg
 

Recommended

Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?
Jose Miguel Esparza
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
Frode Hommedal
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
F _
 
EKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsEKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit Kits
Jerome Segura
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013
CREATIS
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eric Vanderburg
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
Dwika Sudrajat
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
amrapalibuildersreviews
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Peter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Martin Jirkal
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
Defcon
DefconDefcon
Defcon
OpenDNS
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
Takashi Yamanoue
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Julia Yu-Chin Cheng
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
StHack
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 

More Related Content

Similar to Travelling to the far side of Andromeda

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
Dwika Sudrajat
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
amrapalibuildersreviews
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Peter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Martin Jirkal
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
Defcon
DefconDefcon
Defcon
OpenDNS
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
Takashi Yamanoue
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Julia Yu-Chin Cheng
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
StHack
 

Similar to Travelling to the far side of Andromeda (20)

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
Defcon
DefconDefcon
Defcon
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 

Recently uploaded

[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 

Recently uploaded (20)

[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 

Travelling to the far side of Andromeda

  • 1. Travelling to the far side of Andromeda Jose Miguel Esparza
  • 2. $ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
  • 3. Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
  • 4. Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
  • 5. Evolution of Andromeda  Binary  Plugins  Panel
  • 6. Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
  • 7. Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
  • 8. Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
  • 10. Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
  • 11. Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
  • 14. Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
  • 15. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
  • 16. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
  • 18. Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
  • 19. Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
  • 21. Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
  • 25. Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
  • 26. Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
  • 27. Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
  • 28. Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
  • 29. Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
  • 30. Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
  • 33. Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
  • 34. The Dark Side of Andromeda  Who is behind Andromeda?
  • 35. The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
  • 36. The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
  • 37. The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
  • 38. The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
  • 39. The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
  • 40. The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
  • 41. The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
  • 48. Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
  • 49. Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
  • 50. Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
  • 51. Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
  • 52. Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
  • 53. Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
  • 55. Interesting use cases  Andromeda loving AV industry
  • 56. Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
  • 59. Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
  • 60. Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf