A recently discovered cluster of Command and Control (C2) servers tied to the Andromeda/Gamarue malware family has raised concerns within the cybersecurity community. This newly identified cluster has been found to target manufacturing and logistics companies in the Asia-Pacific (APAC) region, where it is suspected that the motive behind the attacks is industrial espionage. Andromeda, also known as Gamarue, has been active since 2011 and is widely used by cybercriminals to establish backdoor access for stealing sensitive data and delivering additional malicious payloads.
The attack chain begins with infected USB drives, which are commonly used to deliver the Andromeda malware. These USB devices are manipulated to contain LNK files designed to deceive users into clicking on them, triggering the malware’s execution. Once executed, the malware uses rundll32.exe to load malicious DLL files that are named to appear as legitimate system files. This method allows the attacker to bypass security measures and establish an entry point for further exploitation.
The primary function of Andromeda is to serve as a backdoor, allowing attackers to download additional malware, steal passwords, and provide remote access for ongoing control over infected systems. In the current campaign, the malware establishes communication with C2 servers using domains such as suckmycocklameavindustry[.]in, where it sends data back to the attacker. The malware also creates various files with different extensions, including .tmp, .exe, and .bin, in the victim’s system to facilitate the attack and maintain persistence.
The discovery of this cluster of C2 servers underscores the growing need for robust cybersecurity measures, especially in sectors such as manufacturing and logistics. Organizations in these industries must remain vigilant against such threats and implement strong defenses against USB-based attacks, ensuring that their systems are adequately protected from backdoor access and espionage activities. Regularly updating security protocols and training employees to recognize and avoid potential phishing attempts are crucial steps in mitigating the risk posed by these types of advanced malware campaigns.
Reference:
