Andromeda/Gamarue botnet dropping financial malware hits Italian and German users

Andromeda/Gamarue bots are routinely used as backdoors to infected systems and can also be vectors for downloading different malicious payloads.

Over the last few weeks we noticed the resurgence of a particular spam campaign that is distributing Andromeda/Gamarue to Italian domains, with a couple of bursts in the last 20 days but also going back to April and May 2015.

adromeda_spam.png

Our systems collected more than 4000 unique emails with malicious attachments that can be linked to Andromeda with an ultimate goal of distributing two particular families of financial malware. Spam relays linked to this campaign are primarily located in Europe with a strong focus on Spain and Italy.

spam_servers.png

The attachments (ZIP archives) have been crafted using names that resemble standard Italian business documents, but actually they are executable files compromising the system. As previously reported, the malicious executable creates a new msiexec.exe process and injects code into it, then it joins the Andromeda botnet by connecing to the C&C 93.115.38[.]134 using an RC4-encoded JSON.

In the second stage of infection, we have observed the download of one or two different payloads: Citadel (“ssdc32716372” gang) or Gozi/Ursnif (a recent variant, see here and here). In the recent past, other Andromeda botnets have been detected, one of them dropping Lethic malware instead of infostealers.

On June, 24th we also identified a different sample having the same behaviour but targeting German users. That sample is using a different Command and Control server 5.9.253[.]153.

Some IOCs we have identified so far:

MD5 hashes

0290d35ab5caad08a51034bb09c4d023
21435848d62a094ecd30b8128fd6209b
238d4107ede2bc48b3372a62bfd8d5cd
28e01a0e29155e5b993dff915acea976
2ec3bd331846e717a80efb7c33682c6f
30441510bcc4123dd0f0cf211bdc104b
3d3188e83f64ed6ae2a14896f9a1eade
4f011d0d9abac35c7d1125b754730a43
589632bd743554004afc24ecc0b13834
5c59eeb9b1762c4af5c89226262b6327
7fa569b2ccd73da52a181918367d986e
879f701d990e54acf14614090cdd255d
8c4105ebcd57be6de710d0094efbc32a
8e0f37f2d36aada0ba87f5e66a3c27ff
a693f356384bbf61258688563ea843b9
af911be206423bf440ea9d4df075a632
b5c36f29948fb76c31fb045652abcac2
dabac137f4e1a7a33072c6c08f7abe55
ef947b2c2c36b76a0ceb87880654206c
f2bed8f637dfd4a07850a699a983a311

Attachment names

349-fattura-dal-13-05-2015-creata-automaticamente-sistema-automatica.exe
DSC_0101_0111[jpg].jpeg-.exe
FATT. 130-2015 SRL noleggio_pdf_.exe         
FT. 118 - 2015 srl noleggio _docx_.doc.exe
MMS_Email_N_8900277.jpeg_.exe
booking_hotel_confirmation.pdf_.exe 
fatt._130-2015_srl_noleggio_pdf_.exe
fattura Tiscali numero 026778844.pdf.exe             
fattura-100543246-sistem-genereted-verified.exe   
ft._118_-_2015_srl_noleggio__docx_.doc.exe     
ihre_rechnung_vom_24062015_als_pdf_.exe
img_005_apr2015.jpeg.exe                 
info_bank_pdf_xglapuk.exe 
large_2_03_06_2015jpgjpeg.exe

Dropped files
Seemingly random, regexp: KB[0-9]{8}\.exe

KB07341263.exe    (896dec6dd2e1190aa69e3f19bd7c00c9)
KB21743115.exe    (f7c776865c6e202a19a590e063303016)
KB21746240.exe    (1c04d9fac2fdc1017b8443de81dabc3c)
KB33798926.exe 	  (2d11c7b7d7b418a45a30cf4ba4e938d8)
KB07887278.exe 	  (1df302a42144ad240f7b0ee8b165840f)
KB36135815.exe	  (ebb7e22d4a10cbed0d6f1a5be3163078)

Command and Control servers

hxxp://93.115.38 .134/new/stats.php    (Italian campaign)
hxxp://5.9.253 .153/new/stats.php      (German campaign)