Andromeda Malware Threat Active in the Wild

Advisory ID: NCC-CSIRT-081124-013

Summary: 

Andromeda, also known as Gamarue is a modular (can download additional malicious modules or payloads based on the attacker's instructions) malware that spreads through phishing and infected websites, enabling attackers to control systems, steal data, and distribute other malware. Despite being disrupted in 2017, updated versions still appear in cyberattacks, posing an ongoing threat.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

Andromeda malware spreads through phishing emails, malicious attachments, and compromised websites, disguising itself as legitimate software. Once executed, it installs on the target system, avoiding detection through obfuscation and encryption. The malware then connects to command-and-control servers to receive instructions, allowing it to download additional malicious modules like keyloggers or ransomware. Andromeda ensures persistence by modifying system settings and creating tasks to remain active after reboot. Infected systems become part of a botnet, used for DDoS attacks, data theft, and other malicious activities. Its modular and adaptable nature allows it to evolve and continue operating even after takedown efforts.

Consequences: 

Andromeda malware can cause data theft, system compromise, spread additional malware, and disrupt operations, leading to financial losses and privacy breaches.

Solution: 

To mitigate this threat, you are advise to carry out the following:

• Avoid opening unexpected email attachments and use email filters to block malicious files.
• Keep systems and software patched to prevent Andromeda exploitation.
• Provide regular cybersecurity training to help employees identify and avoid phishing, suspicious downloads, and social engineering tactics.
• Employ comprehensive antivirus or anti-malware software that can detect and remove Andromeda malware and other threats.
• Use advanced email filtering to block phishing emails and attachments, preventing malware delivery.
• Monitor network traffic for unusual activity, particularly communications with suspicious IP addresses or command and control (C&C) servers.
• Disable unnecessary services, ports, and protocols that could be exploited by the malware to maintain communication with its C&C servers.
• Regularly back up important data and systems to ensure recovery in case of malware infection and minimize data loss.
• If a system is suspected of being infected, isolate it from the network to prevent further spread of the malware.
• Deploy End point Detection and Response (EDR) solutions to continuously monitor and analyze endpoint activity for signs of malware infections and suspicious behavior.
• After removing the malware, restore all altered system configurations, tasks, and registry keys to their original state.

References:

• https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Botnetz-Avalanche/Malware/Andromeda/andromeda_node.html

• https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda

• https://technologytimes.ng/nigeria-alerts-banks-of-andromeda-malware/

•  https://www.cert.be/en/document/gamarueandromeda