Global team takes down virus-spewing Andromeda botnet

James Marshall
December 6, 2017

An worldwide cyberoperation involving law enforcement agencies and private sector partners has dismantled Andromeda (aka Gamarue), one of the longest-running malware families in existence, according to a Europol press release.

Law enforcement has dismantled the Andromeda malware family, which has been infecting computers since 2011.

Hackers behind the botnet created a network of as many as two million infected computers and tried to use it to distribute other malware families. Andromeda was linked to 80 malware families and was detected on or blocked an average of over 1 million machines every month over the last six months, Europol said.

The botnet allowed criminals to harvest sensitive information - such as online banking credentials and credit card information - from infected computers. The crime kit sold on the dark net offered customization choices to criminals to deploy their own custom builds.

ESET and Microsoft researchers shared technical analysis, statistical information, and known command control (C&C) servers' domains to help disrupt the malicious activity of the group.

"This particular threat has been around for several years now and it is constantly reinventing itself - which can make it hard to monitor".

The suspected mastermind behind the massive Andromeda botnet that was recently taken down by worldwide authorities has been identified as Jarets Sergey Grigorevich - one of the most prolific cybercriminals in Eastern Europe.

Boutin added that "by using ESET Threat Intelligence and by working collaboratively with Microsoft researchers, we have been able to keep track of changes in the malware's behavior and consequently provide actionable data which has proven invaluable in these takedown efforts". It was shut down on November 29 in a combined operation by Europol, the Federal Bureau of Investigation, security vendor ESET and Microsoft.

"This is another example of worldwide law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale", Steven Wilson, the Head of Europol's European Cybercrime Centre said in a statement.

They have discovered approximately 1 214 IP addresses and domains of the command-and-control servers together with 464 distinct botnets.

33-year-old Sergey Jaretz of Rechitsa, Belarus was arrested by local authorities December 4 on behalf of a joint task-force of European Law Enforcement agencies, the U.S. Federal Bureau of Investigation and several non-EU Member States.

A sink-holing operation has been deployed against over a thousand domains by the malicious software, resulting in two million Andromeda victim IP addresses from 223 countries being identified. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us, ' said Steven Wilson, the Head of Europol's European Cybercrime Centre.

Other reports by Click Lancashire

Discuss This Article