Malware behind downed botnet spreading ransomware, spam bots and spyware

A botnet called Andromeda, taken down by Europol and the FBI, was spreading various types of malware, including ransomware and spyware, according to Microsoft. Especially computers in Asian countries have been affected by the malware behind the botnet.

Microsoft writes in an analysis that the malware behind the Andromeda botnet is also called Gamarue. It infected computers, making them part of the botnet. According to the company, it was responsible for the spread of all kinds of other types of malware, including the ransomware variants Petya and Cerber. In addition, it distributed spam bots, ddos ​​malware and malicious software to steal information. In total there were 80 malware variants. Microsoft attributes more than 1,200 IP addresses to Andromeda’s command-and-control infrastructure.

In recent months, Microsoft has detected the Gamarue malware on an average of 1 million systems per month, mainly in Asian countries. A map published by the company also shows a lot of activity in Europe. Gamarue is said to be sold on hacker forums as a bot, a program that allows attackers to take over an infected computer. It is modular malware, which makes it possible to choose different components. For example, a keylogger, rootkit, a tool to intercept website forms and a remote desktop tool.

Europol reported Monday that it, together with the FBI and various companies, has taken down the Andromeda botnet. In addition, 1500 domains were redirected to a server under the control of the investigative services by means of sinkholing. In this way, Microsoft managed to capture 2 million unique IP addresses of Andromeda victims within 48 hours. In the takedown, the investigative services built on a similar move at the Avalanche botnet a year ago. A suspect has been arrested in Belarus in the current action.

Gamarue infection processes according to Microsoft