An international contingent of law-enforcement agencies on Friday dismantled the massive Andromeda malware botnet, sinkholing around 1,500 malicious domains and arresting a suspect in Belarus.
The November 29 operation resulted in the identification and capture of roughly 2 million unique victim IP addresses in 223 countries, according to a press release from Europol, whose European Cybercrime Centre (EC3) helped execute the takedown alongside the FBI, Germany's Luneburg Central Criminal Investigation Inspectorate, the Joint Cybercrime Action Task Force (J-CAT) and Eurojust.
Developed in September 2011, Andromeda, aka Gamarue or Wauchos, is known for stealing credentials from victims as well as downloading and installing up to 80 different secondary malware programs onto users' systems, including spam bots. Over the last half-year, it has been detected or blocked on an average of more than 1 million machines per month, Europol added.
It has also been linked to the Avalanche cybercriminal network, whose infrastructure was dissolved one year ago on Nov. 30, 2016 by many of the same law-enforcement agencies involved in this latest operation. In fact, the 2016 takedown of Avalanche revealed new insights into Andromeda that ultimately enabled last week's operation, Europol announced, also noting that the sinkholing of Avalanche assets has been extended for another year because 55 percent of computer systems victimized through Avalanche still remain infected today.
In its own release, ESET described Andromeda as customizable botnet malware – originally sold as a crime kit on the dark web – that allows attackers to create custom plugins that can perform malicious tasks such as controlling compromised systems and stealing content that users type into web forms. Attackers have spread Andromeda malware via social media, instant messaging, removable media, spam, and exploit kits, ESET added.
“In the past, Wauchos has been the most detected malware family amongst ESET users,” said Jean-Ian Boutin, senior malware researcher at ESET, in the release. “This particular threat has been around for several years now and it is constantly reinventing itself – which can make it hard to monitor. But... we have been able to keep track of changes in the malware's behavior and consequently provide actionable data which has proven invaluable in these takedown efforts.”
More specifically, ESET reported that it was able to build its very own bot that could communicate with Andromeda's C&C server, allowing analysts to track the malware's botnet armies over the last year-and-a-half, while also identifying the cybercriminals' infrastructure and chronicling what programs were installed on infected machines.
“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale,” said Steven Wilson, head of Europol's European Cybercrime Centre. “The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”
In addition to ESET and Microsoft, other private partners included the Shadowserver Foundation; the Registrar of Last Resort; ICANN (and associated domain registries); the Fraudhofer Institute for Communication, Information Processing and Ergonomics (FKIE),; and the German Federal Office for Information Security (BSI).