The Andromeda botnet is ballooning once again

Cybercriminals are, once again, trying to swell the number of computers compromised by the Andromeda backdoor. This will allow them to control the machines and download additional malware at the behest of the highest paying customer/renter.

According to G Data security experts, the botnet’s C&C server is currently just waiting to hear from compromised computers, and is still not sending out instructions to the bots, meaning that the botnet masters are still in the botnet building stage.

But, if you have recently received an unsolicited email with a DOC file that instructed you to enable Word macros in order to see its contents, chances are good that your computer has become part of it.

The researchers documented two separate spam campaigns that targeted Polish and German users and used different stages to download, unpack and run the exact same executable (msnjauzge.exe).

In the first one, the criminal’s way is a Word document supposedly containing a contract. Once opened, the document first instructs the potential victim to enable “macroses” (a grammatical error that might not be noticed and raise suspicion with non English-speaking users).

Doing so triggers the execution of a macro that creates and executes a binary, which then extracts a a bitmap image stored in its .resource file. The image’s R, G and B values are then used to build a byte array which, once dectrypted, forms a .NET file. This file is loaded and executed, stores a payload into the memory and executes it. The payload parses the original .NET binary and extracts data from it. When decrypted, this data is forms the msnjauzge.exe file – the Andromeda dropper.

The researchers have elegantly compared this process to the design of the popular Matryoshka dolls:

In the second spam campaign, the process is a little more straightforward, but the end result is the same: the target machine becomes an Andromeda bot.

“This botnet seems to be at the beginning of its lifetime and does most probably not yet count millions of infected systems, which we derive from the rather low level of different samples identified for this campaign during the analysis phase for this article. But it is difficult to predict the evolution of this botnet,” the researchers noted, and urged users to think twice before changing settings to allow macros to be executed automatically.

Setting this particular example aside, this is definitively good advice, as macro based malware is on a rise.