Travelling to the far side of Andromeda at Botconf 2015

It has been a while since I wrote the last time here and since I presented at Botconf, but I wanted to share my slides here too. A couple of weks after the sad terrorist attacks in Paris, Botconf was held in the city of love. Way more secure than before and with lots of security controls which almost made me lose my return train, but it was worth it. Attending a security conference focused on cybercrime, malware, reverse engineering and intelligence is always a good plan :) I really recommend you attending Botconf this year in Lyon, you will not regret it ;)

My presentation was about Andromeda. This is the abstract:

Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.


Andromeda/Gamarue bot loves JSON too (new versions details)

After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog but I have not seen too many details about the latest versions of Andromeda. This is a summary of the interesting details about the newer versions.


Andromeda versions


After version 2.08, the parameter used to send the bot version to the panel was removed from the POST request, so now it is a bit more difficult to distinguish between versions. An easy way to spot the different versions is taking a look at the request format strings:


  • id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu (<=2.06)

  • id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu (2.07/2.08)

  • id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu (2.09)

Dissecting SmokeLoader (or Yulia's sweet ass proposition)

In mid-August I started receiving some emails from Yulia. She wanted me to take a look at her sweet ass:


I was not sure about it, but after receiving some more emails like this I took a look (I received the last one on the 10th of September). Then I found out that this was the beginning of a SmokeLoader campaign, I was really disappointed :( Out of spite, I started analyzing it ;p

These are some of the headers and the message body:

Date:   Wed, 13 Aug 2014 12:55:56 -0400
From:   "Yulia" <>
Subject: My new  photo

Hi it is Yulia fuck me ass at night. Look at my sweet ass on a photo I wait for you

I don't want to duplicate the information already published about this loader, so you can check the post published in July by StopMalvertising and what my colleague Michael Sandee said about it in 2012. Since then, SmokeLoader (known as Dofoil too) has modified the encryption to communicate with the C&C, added some extra plugins, etc.

After executing the binary you can easily spot that something is happening in your computer because you can see some strange POST requests to some known URLs. These URLs are extracted from the registry, opening the key Software\Microsoft\Windows\CurrentVersion\Uninstall and looking at the values of HelpLink and URLInfoAbout for the installed programs.  

Yet another Andromeda / Gamarue analysis

Some days ago I read the post about Joe Security's error when they analyzed an Andromeda sample and I also found new samples of this Trojan. Then I decided that I should write something about it. At least, just to remember some tricks of Andromeda for the next time and not starting from scratch. I'm Dory, I forget things ;)

When I analyzed this malware some months ago I thought that it was quite interesting due to the Anti-debugging and Anti-VM tricks it uses. You can also find references to the same malware with the name of Gamarue. It seems it is cool to rename the same malware with different names. Then you can find some families with three different names, like Cridex / Feodo / Bugat. Anyway, I also found these two links with very good and detailed information about analyzing Andromeda:


Syndicate content