Most of popular botnet Andromeda’s (also known as Gamarue) distribution channels have been discovered and analyzed by antivirus vendors. This has forced Andromeda’s distributors to come up with a new attack strategy to continue to drop Andromeda binaries onto PCs.
Meanwhile at the Andromeda headquarters…
Operator: “Captain, all of our distribution channels have been discovered!”
Captain: “Report the loss..”
Operator: “Email scams, exploit kits, everything is known to the public.”
Captain: “Operator, let’s start with plan N!”
Operator: “Roger that, captain”
Before we dive into Andromeda’s new tactic, I’d recommend you to read this article by fellow security researchers from Stormshield, which describes one of Andromeda’s most recent phishing campaigns. We have observed similar Andromeda email phishing campaigns. Most of the emails we have seen seem to be targeting Germans and Italians. However, these two target groups seem to be too clever to fall for the bait, as they are not the top infected users.
Some of the popular subject lines used to target Germans and Italians are “Your current bill” and “A nude photo of you has appeared on the Internet”.