Threat Spotlight: The Andromeda Botnet

Executive Overview

The Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft^[1] the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more.

Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality. The standard kit retails for around $300-$500, but price varies for different builder’s versions and any  additional modules purchased. The builder comes in five versions – 2.06, 2.07, 2.08, 2.09 and 2.10. There is not much information on versions prior 2.06. 

For this blog, analysis will focus on version 2.06 builder – the cracked version by OldWarrior.

Technical Analysis

Andromeda was a substantially large botnet. However, analysis showed that building its infrastructure took little effort compared to other botnet building kits.  Below is a breakdown of each component used to build the infrastructure (see Figure 1):

Figure 1: Andromeda botnet builder contents

According to Scan For Security^[2], the original Andromeda builder was never released. The Trojanized version of Andromeda was allegedly created by OldWarrior, a random person who was not involved in the original project. This is the builder that circulates around the Internet and is freely available to download from various sources. The builder is easy to identify as it credits OldWarrior as the creator.

Analyzed Files and the Andromeda Web Panel

Config.php 

Config.php is the core of Andromeda as it contains the main configuration:

Figure 2: Config.php contents

The threat actor would begin by editing these settings. We see that in this case, login credentials were quite unique, with the MD5 matching the hash corresponding to the admin : admin string.

The config.php contents will be used later in the panel builder (index.php) file and in other components/scripts. All the communications use an RC4 algorithm, so if the RC4 key does not match the key in config.php communication will not be established.

Index.php (Andromeda Bot Web-Panel For Admin)

The web-panel is written in php and MySQL. Installation of the panel begins by creating a MySQL database that will be linked the botnet and will store all the information regarding it. To install the panel the threat actor would type in the browser: <hosting_server >_<folder>_index.php?act=install in the window shown in Figure 3:

Figure 3: Installation of Andromeda bot web panel

This file is base64 encoded and gzcompressed. Once the obfuscated php script is decoded, human-readable content is revealed, showing that Index.php is used to install the web panel for Andromeda. The panel allows the threat actor to work with four tables from MENU. MENU includes four choices - Bots, Black list, Tasks and Services:

1.      The Bots table includes information on:

• Bot ID – An eight-character ID (e.g., 2445FDB3), as seen in Figure 4:

Figure 4: Bot ID

• Build ID – The eight-character number generated when building a bot (e.g.,12345678), as seen in Figure 5:

Figure 5: Build ID

• IP Address – The NAT IP address, as seen in Figure 6:

Figure 6: NAT IP address

An ip2long() function is used to get an IP address. In php (32-bit) integers are signed, therefore returning negative integers (IP addresses). To get an unsigned IP address, an ip2long() function is needed: “(ip2long ( string $ip_address ) : int)” e.g., 1.0.0.0 -> 16777216, as seen in Figure 7.

• Country – This calls the geoIPCountryWhois.csv.gz document which contains a list of location and country codes (e.g., AL-Albania, LT-Lithuania, EU-Europe, etc). A sample of this document is shown in Figure 7. The first two columns are NAT IP addresses. The third and fourth columns represent IP addresses (using ip2long function). The fifth column is a country location code and last columns is the country:
   

Figure: 7: Unzipped geoIPCountryWhois.csv.gz document contents snippet

In the bots table example shown below, only the country code is needed:

Figure 8: Country code

• Install date - (time and date of the install), shown in Figure 9:

Figure 9: Install date

• Last response - The time of the last response, shown in figure 10:

Figure 10: Last response

• Task – The bot command (e.g., 9 to kill a bot), shown in Figure 11:

Figure 11: Bot commands

• Bot version – Version number (02.06 etc.) as seen in Figure 12:

 Figure 12: Bot version

• OS version – The system OS (Win200, WinXP, Win2003, WinVista, Win7, etc) and account type,  either admin or user (e.g., Win7 x86 (A)):
   

Figure 13: OS version

• Status – Current bot status, either online or dead, shown in figure 14:

Figure 14: Bot status - either online or dead

From this page the threat actor can also view:

• General statistics on bots including total number, online bots, online per hour, online per day, online per week, new bots at last day, and dead bots. This information is shown in Figure 15:

Figure 15: General bot stats

• Statistics on countries and a list on the countries with the most infections.
  
  
• OS version statistics as seen in Figure 16:

Figure 16: OS stats

• X86/x64 statistics on the number of infected systems.
  
  
• Statistics on By Build ID, allowing the botnet admin to easily track which bot builds are deployed.
  
  
• Admin can also filter records (with a limit of 30) by choosing either to select or not to show online status and/or NAT(Only real IPs). See Figure 17 for an example:

Figure 17: Record filter

See Figure 18 for an example of included records:           

 Figure 18: Records values

2. Blacklist

This table consists of bots that have been blacklisted with options to ban, delete, un-ban, and un-ban all.

The ban table displays the bot id, build id, IP address (NAT), country, install date, last response, task, bot version, OS version and status (online/offline).

3. Tasks

Tasks include ability to add/edit/delete with a recreated form layout shown in Figure 19:

Figure 19: Tasks

4. Service

The service form offers the ability to:

• optimize bots, tasks, and blacklist database tables
• deldead (delete dead) removes dead bots
• delall (delete all) remove all statistics
• logindata – save new login data
• limits – update limits on dead bots
• RC4key – update the RC4key

The service form seen in Figure 20 was created using JavaScript and HTML’s <form> element (script was used from index.php):

 Figure 20: Service

You’ve Got Mail!

One of the primary infection vectors of Andromeda is via spam emails with malicious documents attached, as seen in Figure 21:

Figure 21: Email with attached malicious document

Victims receive an email saying that they have an outstanding payment that requires immediate action. Typically, an unwitting user will click on the attached document “img-9625769378672-pdf.zip” and extract it. Once extracted, the user is presented with document “img-1504632071008-pdf.pdf.exe” - which is a backdoor for Andromeda:

The execution chain of Andromeda is shown in Figure 22:

Figure 22: Andromeda backdoor execution chain

The malware creates a copy of itself in C:\Users\[name]\AppData\Local\Temp. The file size is 167424 bytes. The new file is a child of the parent.

Andromeda disables error messages through the SetErrorMode function. The malware then loads DLLs into a process through the LdrLoadDll function. The loaded DLLs include:

• ws2_32.dll - used for handling the network operations/connections
• advapi32.dll - handles security and registry related calls
• gdi32.dll - Graphical Device Interface (GDI) library
• imm32.dll - input method manager library
• user32.dll - handles Windows user interface related functions
• shell32.dll - handles functions related to opening web pages/file
  • calls LdrGetDllHandle to rpcrt4.dll - remote procedure call API
• ole32.dll - contains OLE functions library
• winhttp.dll - used when downloading files from internet
• crypt32.dll - utilizes certificates and cryptographic functions
• dnsapi.dll - DNS client API

Process Hollowing

The process hollowing is performed by the child process against msiexec.exe with the use of NTDLL’s APIs where it will inject the final payload.

Persistence

To achieve persistence Andromeda will modify the registry key to autorun at startup by making the following changes:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Key: 1160803084
Value: %ALLUSERSPROFILE%\msswjjumg.exe

This value varies from 3-9 random lower case letters, see example: “C:\ProgramData\ms{3-9 random-lower-case-letters}.exe”.

The malware also disables User Access Control (UAC) in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Andromeda changes Explorer settings to prevent hidden files from being displayed as well, modifying:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

To obtain the current time, the malware will resolve several NTP domains on port 123 including:

• pool.ntp[.]org
• oceania.pool.ntp[.]org
• south-america.pool.ntp[.]org
• africa.pool.ntp[.]org
• europe.pool.ntp[.]org
• asia.pool.ntp[.]org

Examples of POST requests sent to the Command-and-Control (C2) are shown below:

• gainsgul[.]com/love.[]php
• darylruth[.]com/freedom[.]php
   

Figure 23: POST requests

Andromeda creates a snapshot to enumerate modules that are loaded into processes. The malware is looking for aReport which, according to Virus Bulletin^[3],  is one of three plugins exports the Andromeda bot uses.  Those exports are: aStart, aUpdate, and aReport.

Conclusion

If you are a BlackBerry customer using BlackBerry® Protect, you are already protected from this attack by our machine learning models. For example, suppose an employee accidently opens an infected email attachment and sees the following warning pop up (Figure 24):

Figure 24: Security warning

If the user clicks on “Run”, BlackBerry Protect will immediately block the threat (Figure 25):

Figure 25: BlackBerry Protect quarantines the threat

Appendix

Indicators of Compromise (IOCs)

• Hashes

Builder (compressed) - 9e4a69b542b2ac512511e1738c614964f7e806ec9d60f0fd5fb61dca735f02c1
Mail - fac4eaeafb31fa6de4977bda2efb236a7d1e84442d452c5219ec096293835aef
Backdoor - C85E6C218E4591D48D19FAE9B12DB30856DA245A28BAFC9735E4404B794CA263

• Filenames

img-1504632071008-pdf.pdf.exe 
Payments_CLI_09_06.png.exe 
Payments CLI_09_06.png.exe 
0003_.b64.zip-1.exe   
factura(copia)06.2016.jpeg.exe

• C2s/IPs

gainsgul[.]com/love[.]php 
darylruth[.]com/freedom[.]php

File Information    

Citations

^[1] https://www.microsoft.com/security/blog/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/
^[2] https://www.scanforsecurity.com/news/sergei-yarets-free-revelations-andromeda-botnet-operator-ar3s.html
^[3] https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/