Andromeda Spider

Description

(Virus Bulletin) Andromeda, also known as Gamaru and Wauchos, is a modular and HTTP-based botnet that was discovered in late 2011. From that point on, it managed to survive and continue hardening by evolving in different ways. In particular, the complexity of its loader and AV evasion methods increased repeatedly, and C&C communication changed between the different versions as well.

We deal with versions of this threat on a daily basis and we have collected a number of different variants. The botnet first came onto our tracking radar at version 2.06, and we have tracked the versions since then. In this paper we will describe the evolution of Andromeda from version 2.06 to 2.10 and demonstrate both how it has improved its loader to evade automatic analysis/detection and how the payload varies among the different versions.

This article could also be seen as a way to say ‘goodbye’ to the botnet: a takedown effort, followed by the arrest of the suspected botnet owner in December 2017, may mean we have seen the last of the botnet that has plagued Internet users for more than half a decade.

The Andromeda botnet has been observed to be used by Transparent Tribe, APT 36.

Names

NameName-Giver
Andromeda SpiderCrowdStrike

Country

Motivation

  • Financial gain

First Seen

2011

Observed Countries

Tools

Counter Operations

Information

Other Information

Uuid

0d8893cf-3c8f-4c3f-a9e5-67b29b55937e

Last Card Change

2020-04-15