ANDROMEDA

Malware updated 23 days ago (2024-11-29T14:44:48.015Z)
Download STIX
Preview STIX
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Andromeda has been involved in spreading another malware called Dridex at different stages of its lifecycle, alongside other botnets such as Necurs and Cutwail. In addition, it appears that Tomiris may have hijacked extinct Andromeda hostnames or domains. In our research, we analyzed the registration information of the command and control domains used by ProjectM for the Andromeda, Crimson, and Peppy Trojans. The Andromeda samples utilized these undisguised domains to deliver Peppy Trojans that used the previously observed ProjectM domain “bbmdroid.com” as a C2 server. However, it was found that malware authors also tested Andromeda in a virtual environment, implementing a check that allowed users to bypass the VM detection. The Andromeda malware has also been linked with the Slave malware; an infected machine with Andromeda is required first to download the Slave malware. These two are distinct strains of malware and do not communicate with each other. Andromeda is typically distributed via email messages disguised as outstanding invoices. Furthermore, this year, Turla, a Russian-speaking Advanced Persistent Threat (APT) group, was seen using command-and-control servers from the decade-old Andromeda malware to target and spy on Ukrainian systems.
Description last updated: 2024-05-04T16:39:31.601Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The KOPILUWAK Malware is associated with ANDROMEDA. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with ANDROMEDA. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
4