ANDROMEDA

Malware updated 4 months ago (2024-05-04T20:38:54.824Z)

Download STIX

Preview STIX

Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Andromeda has been involved in spreading another malware called Dridex at different stages of its lifecycle, alongside other botnets such as Necurs and Cutwail. In addition, it appears that Tomiris may have hijacked extinct Andromeda hostnames or domains. In our research, we analyzed the registration information of the command and control domains used by ProjectM for the Andromeda, Crimson, and Peppy Trojans. The Andromeda samples utilized these undisguised domains to deliver Peppy Trojans that used the previously observed ProjectM domain “bbmdroid.com” as a C2 server. However, it was found that malware authors also tested Andromeda in a virtual environment, implementing a check that allowed users to bypass the VM detection. The Andromeda malware has also been linked with the Slave malware; an infected machine with Andromeda is required first to download the Slave malware. These two are distinct strains of malware and do not communicate with each other. Andromeda is typically distributed via email messages disguised as outstanding invoices. Furthermore, this year, Turla, a Russian-speaking Advanced Persistent Threat (APT) group, was seen using command-and-control servers from the decade-old Andromeda malware to target and spy on Ukrainian systems.

Description last updated: 2024-05-04T16:39:31.601Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
KOPILUWAK	Unspecified	2	KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	4	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the ANDROMEDA Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	A guide to the most important characters in Sarah J. Maas' 'Crescent City' series
CERT Polska	2 years ago	Honeynet Project Workshop CrackMe Solution
CERT-EU	10 months ago	Search \| arXiv e-print repository
CERT Polska	2 years ago	Slave, Banatrix and ransomware
DARKReading	a year ago	FBI Disarms Russian FSB 'Snake' Malware Network
Checkpoint	2 years ago	9th January – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT Polska	2 years ago	E-mail trojan attack on Booking.com and online auction website Allegro.pl clients
CERT-EU	a year ago	Tomiris called, they want their Turla malware back
CERT-EU	a year ago	Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary
MITRE	2 years ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research
MITRE	2 years ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
CERT-EU	a year ago	Turla Disrupted: What Does That Mean for Russian Cyber Operations?
CERT-EU	a year ago	Tomiris called, they want their Turla malware back - GIXtools
CERT-EU	2 years ago	Nuspire Q4 2022 and Year in Review Threat Report: Cyber Threat Numbers Make History
MITRE	9 months ago	Turla: A Galaxy of Opportunity