Andromeda Purged From the Criminal Universe
The week began with a rather significant announcement out of Europol. The Andromeda botnet (and associated economy) was taken down via a joint effort from international law enforcement agencies. The FBI, EC3, J-CAT, Eurojust, and several private sector entities cooperated to bring down Andromeda and related operations.
The Andromeda botnet has been in operation since 2011. The Andromeda malware was sold heavily in a variety of configurations in numerous crime forums and markets. One of the strengths in the design was the modularity, allowing for easy expansion of functionality (ex: additional keyloggers, form-grabbers, and other similar plug-ins.). Like many other ‘kits’ of days past (DNA, Dark Comet, Pony Loader), it was very easy to use, expand and manage. Also similar to kits of that ilk, it was common for less-sophisticated criminals to gain access to ‘cracked’ or otherwise ‘free’ versions of the kit.
Because of the built-in modularity, Andromeda functioned very well as both a multi-function Remote Access Trojan (RAT) and as a vehicle to spread and maintain other/additional malware. According to a press release out of Europol:
“Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and, in the last six months, it was detected or blocked on an average of over 1 million machines every month. Andromeda was also used in the infamous Avalanche network, which was dismantled in a huge international cyber operation in 2016.”
The story becomes even more interesting, from an OPSEC perspective, when we learn how the author was identified via his ICQ number, which was tied to him since at least 2005. This ICQ was tied to his criminal operations (often under the alias ‘Ar3s’) as well as personal communications, thereby removing any doubt that ‘Ar3s’ (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog