Tech companies and law enforcement agencies have collaborated to successfully take down a massive botnet that was used to drop malware on vulnerable systems. Known as the Andromeda or Gamarue botnet, it impacted over two million machines and distributed over 80 types of malware.
The botnet was eventually taken down after a joint operation between the FBI, Europol's European Cybercrime centre (EC3), the Joint Cybercrime Action Task Force, the Luneburg Central Criminal Investigation Inspectorate in Germany, the European Union's Eurojust agency, along with Microsoft and ESET. "The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue," Microsoft wrote in its statement. "In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure."
The company analyzed over 44,000 malware samples and identified 464 distinct botnets. Microsoft and ESET researchers provided detailed information about that infrastructure to law enforcement agencies around the world. Microsoft said that the botnet was responsible for dropping over 80 malware families, including some dangerous ransomware strains. Going back to 2011, Gamarue has been distributing a plethora of other threats, including:
- Kasidet (aka Neutrino bot)
- Lethic spam bot
- Ursnif, Carberp, and Fareit
Authorities have also arrested at least one suspect thought to be associated with Andromeda. "This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale," Steven Wilson, Head of Europol's European Cybercrime Centre, said. "The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."
ESET, Microsoft and law enforcement agencies work together to disrupt Andromeda botnets
Gamarue first appeared in September 2011 and had since transformed into a sophisticated threat. The crime kit sold on the dark net offered customization choices to criminals to deploy their own custom builds. According to researchers, the botnet was responsible for infecting over 1.1 million systems every month, distributing through social media, messaging apps, spam emails, and exploit kits.
Cybercriminals were using the Gamarue family to steal credentials and download and install additional malware on the infected systems. It took Microsoft and ESET 18 months to identify the command and control communications behind Gamarue and then provide that information to the authorities.
"In the past, Wauchos [Gamarue] has been the most detected malware family amongst ESET users, so when we were approached by Microsoft to take part in a joint disruption effort against it, to better protect our users and the general public at large, it was a no-brainer to agree," Jean-Ian Boutin, Senior Malware Researcher at ESET, said. "This particular threat has been around for several years now and it is constantly reinventing itself - which can make it hard to monitor."
Boutin added that "by using ESET Threat Intelligence and by working collaboratively with Microsoft researchers, we have been able to keep track of changes in the malware’s behavior and consequently provide actionable data which has proven invaluable in these takedown efforts."