Andromeda is a botnet that has had a long history. The latest version is now 2.09, which most active bots would have already received. Recently, however, our FortiGuard Labs Threat Intelligence system was able to capture the activities of a previous variant of Andromeda that is apparently still alive. During our analysis, we found that it is a cracked version of an old variant, and the author used it for spreading a Bitcoin miner.
The network traffic of most Andromeda variants are very similar - the sent data is Base64-encoded, and the received data is in binary (Figure 1).
Figure 1. Network traffic with the C & C server.
After decoding the message that was sent to the C&C server, we can see that the data has integrated the current bot version (Figure 2).
Figure 2. Decrypted sent data.
In the decrypted data above, bv means build version. When we convert the number following it, 518, to its hexadecimal equivalent, we get the number 206.
The build version number is also hardcoded in the binary (Figure 3).
Figure 3. Hardcoded build version.
We found several nop codes in the binary, which are found in the location of some critical codes in the original version of Andromeda 2.06 (Figure 4).
Figure 4. Cpmparison of the original and cracked versions of Andromeda 2.06
The left side of the figure above is the original code, and the left side is the cracked one. As we can see, the author removed the call to the RC4 subroutine, which the original version of the bot used to encrypt/decrypt certain portions of the bot’s code. The author might have done this in order to make it much easier to update the encrypted data, such as the URL of the C&C server and the corresponding RC4 key for encrypting the network traffic.
We suspect that the author did not have the source code of Andromeda 2.06, so he/she had to use this abnormal way to build his/her own bot.
Fortunately, we can already detect this cracked version of Andromeda 2.06 as W32/Kryptik.AFJS!tr when it appeared.
Spreading a Bitcoin Miner
We were able to capture the following command that the C&C server delivered to the bot. In the figure below, we can see that there is a download link for a file which is actually a Bitcoin miner binary. The miner, detected as Riskware/BitCoinMiner, could exhaust the victim’s resources once executed.
Figure 5. the C&C command in plaintext
Our FortiGuard Labs Threat Intelligence system could also capture the Bitcoin miner network traffic.
Figure 6. Bitcoin miner traffic.
According to our brief analysis of this cracked version of Andromeda 2.06, we can see that a botnet’s life cycle can be longer than expected. Cybercriminals can buy botnet kits from the underground market, but can also use abnormal ways such as what we have described here - by cracking existing bots.