Stellar Discovery of A New Cluster of Andromeda/Gamarue C2
Dec. 4, 2024, 9:22 a.m.
Tags
External References
Description
A new cluster of Command and Control (C2) servers related to the Andromeda/Gamarue backdoor has been discovered, targeting manufacturing and logistics companies in Asia. The initial infection vector involves USB drive-by attacks, using LNK shortcuts to execute malicious DLLs. The malware employs rundll32.exe to load these DLLs, establishing C2 connections to domains with a specific TLS certificate. The Andromeda backdoor, known for its modular nature and ability to download additional malware, is used in conjunction with other malware families. Persistence is achieved through registry modifications, and the attackers attempt to evade detection by masquerading as Google applications.
Date
Published: Dec. 4, 2024, 3:54 a.m.
Created: Dec. 4, 2024, 3:54 a.m.
Modified: Dec. 4, 2024, 9:22 a.m.
Indicators
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
b905f1accc31687c79ad13fe74041105a8a7802f3d2ddf3a2ac7c352512430aa
694851c05a954995c366f319c5a9d31a777a89ad5170739542a956980e5c22f9
fee15bde30df1a61b727c5bfdee96d348387b0e94a5a3d7b5cacad5c885da330
65f1641cd4d3dfd1a4099f80f7da0fd653e73e964009b61ef861c86abea7985c
53385aca1abc1b0d0539f088f2820220d85abcdd2dbc9f1040938b8cb20aaad1
1b61a8710c555aaacb60025203bf2a2950a4b33c2a779768b079de80c30d0ca7
msrbiva.com
msdwzny.com
suckmycocklameavindustry.in
Attack Patterns
Pykspa
Gamarue
ANDROMEDA - S1074
Andromeda/Gamarue
T1036.003
T1055.001
T1543.003
T1036.004
T1547.009
T1091
T1027.002
T1071.001
T1204.002
T1129
T1112
T1059
Additional Informations
Transportation
Manufacturing