Results for andromeda botnet

Threat Research

A New All-in-One Botnet: Proteus

  Introduction The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. Data Encryption All C&C communication is encrypted with a symmetrical algorithm....

Industry Trends

GamaPoS - .NET PoS Malware In the Wild

GamaPoS has received a fair amount of attention since its discovery, in part because the use of .NET is (currently) unique among PoS malware and in part because it leverages the versatile Andromeda botnet. At its core, though, GamaPoS is a scraper designed to steal payment data from the RAM of PoS systems.  GamaPoS is the first documented PoS malware to be written in .NET. Malware written in .NET comes with its advantages and its disadvantages, both for authors and researchers. The most obvious benefit for its authors is that it...

By Hong Kei ChanJuly 20, 2015

Threat Research

New Anti-Analysis Tricks In Andromeda 2.08

Andromeda is an infamous modular botnet that has been around for several years now. It is very popular in the underground cybercrime market, with many different variants that use different RC4 keys in encrypting and decrypting its network packets. Since the beginning of 2014, we have found that the version number, which can be seen in its network traffic, has turned to 2.08. This new version is very similar to the previous version 2.07. The main difference can be found in the beginning of the codes, which contain Andromeda's anti-analysis tricks....

By He XuMay 19, 2014

Threat Research

Andromeda 2.7 Features

[ This article originally appeared in Virus Bulletin ]( Recently, we found a new version of the Andromeda bot in the wild. This version has strengthened its self-defense mechanisms by utilizing more anti-debug/anti-VM tricks than its predecessors. It also employs some novel methods for trying to keep its process hidden and running persistently. Moreover, its communication data structure and encryption scheme have changed, rendering the old Andromeda IPS/IDS signatures useless. In...

By Neo TanApril 23, 2014

Threat Research

A Good Look at the Andromeda Botnet

[ This article originally appeared in Virus Bulletin ]( Andromeda is a modular bot. The original bot simply consists of a loader, which downloads modules and updates from its C&C server during execution. The loader has both anti-VM and anti-debug features. It will inject into trusted processes to hide itself and then delete the original bot. The bot hibernates for a long time (from several days to months) between communications with its C&C server. As a result,...

By He XuApril 16, 2014