Authorities dismantle Andromeda Botnet that infected millions of devices

In an international cyber operation, the law enforcement authorities have dismantled a massive botnet called Andromeda (also known as Wauchos and Gamarue) associated with 80 malware families and compromising millions of Windows-based computers worldwide.

Andromeda was developed in September 2011, to infect computer systems of unsuspecting users, steal personal data and install additional malware on the device from 80 dangerous malware families. Furthermore, the botnet was also detected on or blocked an average of over 1 million machines every month.

The operation to dismantle Andromeda was a conducted by Europol’s Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), the Luneburg Central Criminal Investigation Inspectorate in Germany and Federal Bureau of Investigation (FBI), revealed Europol.

Microsoft, ESET, and several other firms also cooperated with the authorities by providing key research into Andromeda. According to ESET’s blog post, the firm provided in-depth details on the botnet including 1,214 infected domains and IP addresses of the botnet’s command and control servers.

Moreover, ESET found cybercriminals spreading Andromeda malware through social media, removable media, instant messaging, email spam and exploit kits. Originally the malware was sold on the dark web as a crime kit, allowing attackers to make changes accordingly to infect devices, taking over them and steal the personal data including content entered into web forms by the user.

In the past, Wauchos has been the most detected malware family amongst ESET users,” said Jean-Ian Boutin, a senior malware researcher at ESET, in the release. “This particular threat has been around for several years now, and it is constantly reinventing itself – which can make it hard to monitor. But… we have been able to keep track of changes in the malware’s behavior and consequently provide actionable data which has proven invaluable in these takedown efforts.”

Andromeda Botnet
Andromeda Botnet admin panel screenshot

On the other hand, Microsoft revealed that it captured 2 million unique Andromeda victim IP addresses from 223 countries during 2 days of sinkholing. However, November 29th authorities dismantled botnet and arrested a suspect in Belarus.

Andromeda is the third botnet to go down this year. Previously IT security giants killed WireX Android DDoS Botnet in a joint cyber operation while in April, authorities killed Kelihos Botnet and arrested a Russian hacker.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.