A joint international operation conducted by the FBI and law enforcement agencies in Europe managed to dismantle the dreaded Andromeda botnet (aka Gamarue and Wauchos) last week.
Law enforcement authorities worldwide dismantled several long-running botnets powered by the malware family dubbed as Gamarue, mostly detected by the security firm ESET as Win32/TrojanDownloader.Wauchos.
ESET worked with Microsoft to disruption the botnets, the experts tracked the malicious infrastructure, identified their C&C servers and the threat delivered by each of them.
“Microsoft then contacted law enforcement with information that included: 464 distinct botnets, 80 associated malware families, and 1,214 domains and IP addresses of the botnet’s C&C servers.” states the analysis published by ESET.
The joint operation was performed on November 29 and involved experts from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners,
The takeover of the Andromeda botnet was also possible thanks to the last year’s shut down of a large criminal network known as Avalanche, an infrastructure used to power mass global malware attacks and money mule recruiting.
“One year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the international criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns.” states the report published by the Europol.
“Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week.”
According to the Europol, the experts were able to identify 1500 domains used by the Avalanche platform and used the sinkholing technique to analyzed its traffic and track the infected systems. Microsoft revealed that during 48 hours of sinkholing, the experts observed approximately 2 million unique Andromeda victim IP addresses from 223 countries.
The operation also included the search and arrest of a suspect in Belarus.
The investigators then extended the sinkholing of the Avalanche infrastructure for another year, as globally 55% of the computers originally infected in Avalanche continue to be infected.
The activity against Andromeda and Avalanche involved the following countries: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, Australia, Belarus, Canada, Montenegro, Singapore, and Taiwan.
“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us,” Steven Wilson, the Head of Europol’s European Cybercrime Centre, said.
Technical details about the global operations are included in a report published by ESET.
(Security Affairs – Andromeda botnet, cybercrime)