Andromeda botnet

  Introduction The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. Data Encryption All C&C communication is encrypted with a symmetrical algorithm.... [Read More]
by RSS Donna Wang, Jacob (Kuan Long) Leong  |  Nov 28, 2016  |  Filed in: Security Research
GamaPoS has received a fair amount of attention since its discovery, in part because the use of .NET is (currently) unique among PoS malware and in part because it leverages the versatile Andromeda botnet. At its core, though, GamaPoS is a scraper designed to steal payment data from the RAM of PoS systems.  GamaPoS is the first documented PoS malware to be written in .NET. Malware written in .NET comes with its advantages and its disadvantages, both for authors and researchers. The most obvious benefit for its authors is that it... [Read More]
by RSS Hong Kei Chan  |  Jul 20, 2015  |  Filed in: Industry Trends
Andromeda is an infamous modular botnet that has been around for several years now. It is very popular in the underground cybercrime market, with many different variants that use different RC4 keys in encrypting and decrypting its network packets. Since the beginning of 2014, we have found that the version number, which can be seen in its network traffic, has turned to 2.08. This new version is very similar to the previous version 2.07. The main difference can be found in the beginning of the codes, which contain Andromeda's anti-analysis tricks.... [Read More]
by RSS He Xu  |  May 19, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ]( Recently, we found a new version of the Andromeda bot in the wild. This version has strengthened its self-defense mechanisms by utilizing more anti-debug/anti-VM tricks than its predecessors. It also employs some novel methods for trying to keep its process hidden and running persistently. Moreover, its communication data structure and encryption scheme have changed, rendering the old Andromeda IPS/IDS signatures useless. In... [Read More]
by RSS Neo Tan  |  Apr 23, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ]( Andromeda is a modular bot. The original bot simply consists of a loader, which downloads modules and updates from its C&C server during execution. The loader has both anti-VM and anti-debug features. It will inject into trusted processes to hide itself and then delete the original bot. The bot hibernates for a long time (from several days to months) between communications with its C&C server. As a result,... [Read More]
by RSS He Xu  |  Apr 16, 2014  |  Filed in: Security Research