ANDROMEDA

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Andromeda has been involved in spreading another malware called Dridex at different stages of its lifecycle, alongside other botnets such as Necurs and Cutwail. In addition, it appears that Tomiris may have hijacked extinct Andromeda hostnames or domains. In our research, we analyzed the registration information of the command and control domains used by ProjectM for the Andromeda, Crimson, and Peppy Trojans. The Andromeda samples utilized these undisguised domains to deliver Peppy Trojans that used the previously observed ProjectM domain “bbmdroid.com” as a C2 server. However, it was found that malware authors also tested Andromeda in a virtual environment, implementing a check that allowed users to bypass the VM detection. The Andromeda malware has also been linked with the Slave malware; an infected machine with Andromeda is required first to download the Slave malware. These two are distinct strains of malware and do not communicate with each other. Andromeda is typically distributed via email messages disguised as outstanding invoices. Furthermore, this year, Turla, a Russian-speaking Advanced Persistent Threat (APT) group, was seen using command-and-control servers from the decade-old Andromeda malware to target and spy on Ukrainian systems.
What's your take? (Question 1 of 2)
89ed741b-2ffd-4b83-9e10-724d8615efa1 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KOPILUWAKUnspecified
2
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
4
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ANDROMEDA Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
6 months ago
Turla: A Galaxy of Opportunity
MITRE
a year ago
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
CERT Polska
a year ago
Slave, Banatrix and ransomware
CERT Polska
a year ago
E-mail trojan attack on Booking.com and online auction website Allegro.pl clients
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
CERT-EU
6 months ago
Search | arXiv e-print repository
CERT Polska
a year ago
Honeynet Project Workshop CrackMe Solution
CERT-EU
9 months ago
Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary
CERT-EU
a year ago
Nuspire Q4 2022 and Year in Review Threat Report: Cyber Threat Numbers Make History
DARKReading
a year ago
FBI Disarms Russian FSB 'Snake' Malware Network
MITRE
a year ago
Stopping Serial Killer: Catching the Next Strike - Check Point Research
Checkpoint
a year ago
9th January – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Turla Disrupted: What Does That Mean for Russian Cyber Operations?
CERT-EU
a year ago
Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU
4 months ago
A guide to the most important characters in Sarah J. Maas' 'Crescent City' series