Buzzword talk : ‘Andromeda Botnet’

by Aug 21, 2018

Buzzword talk : ‘Andromeda Botnet’

by Aug 21, 2018


Andromeda’ OR ‘Gamarue’ is one of the latest backdoor-type malware variant, found to be spreading at a rate of millions of computers per month. An international takedown operation lead by the FBI as well as the European Cyber Crime Center (EC3) was conducted on Andromeda last year. But still, remains of this malware can be found on numerous computing devices as per beliefs.


Read our blog on security threats before proceeding further:

By mainly targeting its attack on Windows operating systems, Andromeda botnet makes a network of infected computing systems a part of it. This botnet will be then distributing other threats from those malware families which are supposed to be 80 in number, (like – Ransomware(Example – Petya, Cerber,Troldesh), Banking Trojan(Ursnif, Fareit&Carberp), DDos malware(Example – Fareit, Kasidet), Spam bot(Example – Cutwail , Lethic) , Backdoor, etc..) associated with Andromeda.

 Andromeda works as a backdoor that may receive commands from its control server for downloading and executing files, performing remote shells, or uninstalling itself from the system. The most common vectors used by this malware to cause infection are – spear phishing emails, drive-by-downloads, Infected cracks (like – keygens : a computer program which generates a product licensing key such as a serial number), removable drives, malicious links through social media messages, exploit kits (Example – Blacole), etc..


Some of the other highlights of Andromeda attacks are :

  • It resides in memory.
  • It can steal sensitive information (like Operating System information, Local IP address, Root volume serial number, etc.).
  • It is modular in function (i.e. ability to get modified via plugins like keylogger, rootkit, team weaver, spreader, etc.).
  • It is capable enough to use the anti-virtual machine as well as anti-debugging techniques.
  • Compromise-indicators are: System changes like File system changes, Creation of a new instance of some processes by the malware to inject itself into it, Registry changes, Connectivity to certain networks by the malware, etc..

Countermeasures to prevent Andromeda attack can be listed as:

  1. Enabling an efficient personal firewall on the workstation.
  2. Disable autorun/autoplay policies.
  3. Setting up administrative access for system admins to administrative systems / Allowing limited privilege users on systems.
  4. Implementing a strong password policy / routine password changes.
  5. Disabling unnecessary services on agency workstation and servers.
  6. Always changing default login credentials before production deployment.
  7. Protecting oneself from – downloading pirated softwares, social engineering attacks, untrusted websites, emails from untrusted sources / unexpected emails from trusted sources.
  8. Monitoring traffic from the client machine to the domains / IP address, as per installation guidelines.
  9. Deleting system changes (like – file creation, registry entries, services, etc.) made by the attack.
  10. Ensuring availability of the latest, updated Antivirus solution – to scan infections, if any.


In this digital era of faster technological advancements as well as increased security threats, like any security threat, Andromeda attacks also need effective management.

To know more about managing today’s increased security threats, read our article on the same here:

August 2018