HQ/EMEAFind out how we can help your business
The notorious Andromeda virus has an alleged cluster of command-and-control servers designed to target various industries in the Asia-Pacific region.
This malware has been around for over a decade now and is recognised for its modular design and versatility. Its capabilities have attracted cybercriminals as it is proven to be a valuable weapon for cyberattacks.
Despite being one of the oldest malicious payloads, the Andromeda virus is still a developing tool.
Cybercriminals typically transmit the Andromeda virus through malicious email attachments, infected USB devices, and secondary payloads. However, the threatening aspect of these attacks is that they are still evolving.
Some of this backdoor’s primary capabilities are downloading and executing new malware, harvesting personal information like passwords, and creating a backdoor for remote access. Hence, its adaptability has made it a popular choice for threat actors, especially those wanting to execute industrial espionage missions.
One research study on malware reveals the advanced strategies the threat actors use to target organisations in the APAC region. Initial infection vectors include “USB drop attacks,” in which compromised USB drives execute malicious data when connected. Once infected, rundll32.exe loads disguised DLLs with uncommon patterns.
A significant result of these attacks shows how “desktop.ini” files, frequently disguised as regular system files, work as payloads to launch the malware’s actions. These files are routinely downloaded using WebDAV exploits, and network behaviour reveals connections to malicious domains registered with certificates.
On the other hand, the new cluster of C2 servers demonstrates sophisticated infrastructure. However, an inquiry revealed that one of the C2 domains was resolved to several IP addresses. Still, Andromeda’s versatility provides operators with dynamic command delivery that would maintain a constant connection between the malware and its operators.
Furthermore, the investigation indicates possible linkages to the notorious Turla group, as this particular campaign appears to repurpose an old Andromeda sample whose C2 was hijacked by the group.
This newly discovered operation aims to disrupt the manufacturing and logistics industries in APAC, with industrial espionage being the alleged motivation. The attackers use Andromeda’s modular design to access networks, steal critical information, and launch more malware strains.
Therefore, organisations within these regions, especially from manufacturing and logistics industries, should be wary of this newly discovered cybercriminal campaign.
