Fake Qantas Spam Campaign Leads to Andromeda Bot Infection
If you have booked a flight from Qantas recently, you might be expecting a booking confirmation in your email inbox. Be wary however, because there are opportunist cyber crooks that spam out fake Qantas booking receipts. This malicious spam has been actively sent by the Cutwail botnet in the last few days.
The attachment ZIP file contains an executable of an Andromeda bot loader or also known as the Gamarue Trojan. Andromeda is a modularized cybercriminal's kit that can be purchased from underground hacker forums. The functionality of this bot can be expanded by adding plugins like form grabbing, rootkit, proxy capabilities and key loggers.
When run, the malware drops a file in the infected system:
%AllUsersProfile%\<MalwareName>.exe (e.g.C:\Documents and Settings\All Users\dxssogpn.exe)
Italso creates an autorun registry to ensure execution after Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSunJavaUpdateSched = "C:\Documents and Settings\All Users\<MalwareName>.exe"
Aregistry is also created to add the Trojan in the Windows firewall exceptionlist:
HKEY_LOCAL_MACHINE\SSYTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListC:\Documents and Settings\All Users\<MalwareName> = "C:\Documents and Settings\All Users\<MalwareName>.exe:*:Enabled:<MalwareName>"
It then executes a legitimate Windows file MSIEXEC.EXE and injects itself to that process.
The Trojan phones home to its command and control server and then sends and receives encrypted data:
Afterwards, It downloads an additional malicious executable file which in this case is a Zbot Trojan, a notorious Trojan that is capable of stealing banking information.
The Andromeda bot behaves differently in a monitored and debugged environment. It utilizes several anti-debugging and anti-VM (virtual machine) techniques. When it encounter that it's being debugged, it connects to TCP/IP address 0.0.0.0 and listens to port 8000, after which, it runs a new instance of CMD.EXE.
It may look like it opens a backdoor at port 8000 but this just a trick to confuse malware analysts.
Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others. Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it's a malicious email. But if you are cautious, you will easily tell a legitimate and a fake email. If you are technical enough, you may want to check if the attachment is an executable file, however for most people this may be too hard. Just be distrustful when you see unsolicited email in your inbox especially if you do not expect it. You can verify the sender but if you can't, just delete it and you should be fine. And also, avoid clicking on links in the email.