Europe, US take down massive Andromeda botnet

Adjust Comment Print

Recorded Future, which was a participant in the investigation leading to the arrest, expanded further, saying that Jaretz was the mastermind of the worldwide cybercriminal group responsible for the distribution and maintenance of the Andromeda Trojan.

33-year-old Sergey Jaretz of Rechitsa, Belarus was arrested by local authorities December 4 on behalf of a joint task-force of European Law Enforcement agencies, the U.S. Federal Bureau of Investigation and several non-EU Member States.

"But by using ESET Threat Intelligence and by working collaboratively with Microsoft researchers, we have been able to keep track of changes in the malware's behaviour and consequently provide actionable data which has proven invaluable in these takedown efforts".

Security researchers at ESET, in collaboration with Microsoft and law enforcement agencies - the Federal Bureau of Investigation (FBI), Interpol, Europol, and other stakeholders in cybersecurity - have today taken down a major botnet operation known as Gamarue (detected by ESET as Win32/TrojanDownloader.Wauchos), which has been infecting victims since 2011.

Organizations participating in the Andromeda investigation included the Europol European Cybercrime Center, the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, the Joint Cybercrime Action Task Force, Eurojust and private-sector partners.

Researchers have found out that Gamarue malware is offered as Andromeda bot in the underground market.

The Gamarue botnet has been plaguing computers since 2011 and infected more than 1.1 million systems per month and heavily infected many countries in Asia. Microsoft said that the botnet was responsible for dropping over 80 malware families, including some risky ransomware strains.

"In the past, Wauchos has been the most detected malware family amongst ESET users, so when we were approached by Microsoft to take part in a joint disruption effort against it, to better protect our users and the general public at large, it was a no-brainer to agree", comments ESET senior malware researcher Jean-Ian Boutin. From there ESET and Microsoft were able to not only able to track the botnet but also locate the aforementioned servers.

Europol said a suspect had been arrested in Belarus but did not mention any additional details.

The software has mainly been used to steal login credentials and to install additional malware, according to ESET's Boutin.

Andromeda is thought to have spawned out of the now out-of-operation Avalanche trojan speading malware network, and was used to distribute 80 different kinds of malware at a global scale.

"The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us".

More than 1,500 malicious domains used to control the botnet were subject to sinkholing and all traffic from infected computers were rerouted to less risky sites. Microsoft noted that these domains were contacted by over two million IP addresses in 223 countries and municipalities.