Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy. The spam emails attempt to install the pervasive Andromeda malware onto victim machines. This malware has been around since 2011 and shows no signs of stopping. Compromised hosts cause a victim’s machine to be attached to the Andromeda botnet, giving attackers the ability to push plugins or additional malware onto these machines.
Palo Alto Networks has observed two distinct campaigns that have resulted in approximately 210,000 emails. Of those 210,000 emails, 97% were sent to users in Italy. As shown in Figure 1, AutoFocus has tracked two distinct spam campaigns delivering Andromeda in the month of July.
Figure 1 Andromeda spam emails in July 2016
The geographic distribution of countries targeted during these campaigns is visualized below:
Figure 2 Geographic distribution of Andromeda spam campaigns in July
These particular campaigns have primarily targeted the insurance and high tech industries, as shown in Figure 3.
Figure 3 Industries targeted by Andromeda spam campaigns in July
Palo Alto Networks observed the following filenames and email subjects most frequently:
Top Email Subjects
- DOCUMENTO [18.15%]
- invio fattura Noleggio stampante [8.66%]
- Invio Estratto Conto [6.15%]
- Documento aruba.it [4.08%]
- Copia bollettino [4.06%]
- copia del bollettino [4.01%]
- bolla di accompagnamento [3.00%]
- lettera di vettura [2.98%]
- bolletta di carico [2.96%]
- distinta di spedizione [2.94%]
- 201607051045678890.pdf.exe [18.02%]
- Fattura N 305 Del 04-07-2016.xls.exe [17.30%]
- ft_12072016003.pdf.exe [14.14%]
- 20164805931 aruba.it.pdf.exe [11.74%]
- img-849903872011973.pdf.exe [10.91%]
- 19047-450N-M01-01pdf.PDF.exe [8.37%]
- FAT-E,FAT-B_2016_07.PDF.exe [5.57%]
- -Trasport 904821.pdf.exe [4.65%]
- DOC 2016 ordine.doc.exe [4.43%]
- progetto_85009400941750019201.pdf.exe [3.16%]
Not surprisingly, the majority of the email subjects and filenames observed are in Italian. An Italian-based hosting provider, Aruba, is referenced both in email subjects as well as filenames. When viewing the top email senders, we see further evidence that spammers are most likely posing as Aruba in an attempt to entice victims into opening up the attached files. The emails below are almost certainly spoofed, and it’s highly unlikely that Aruba is sending out these emails.
Top Email Senders
- firstname.lastname@example.org [6.11%]
- email@example.com [6.06%]
- firstname.lastname@example.org [2.21%]
- email@example.com [2.17%]
- firstname.lastname@example.org [2.15%]
- email@example.com [2.14%]
- firstname.lastname@example.org [1.10%]
- email@example.com [1.10%]
- firstname.lastname@example.org [1.05%]
- email@example.com [1.04%]
The abundance of Italian-based domain names witnessed are as expected due to the high volume of spam emails being sent to Italy.
The example email in Figure 4 was obtained via a third party, and demonstrates what an email from this campaign may look like. As we can see, this specific email has no message body.
Figure 4 Example email from Andromeda spam campaign
The Andromeda botnet, which surfaced in 2011, has been discussed at great length by other researchers. Readers are encouraged to reference the following articles to better understand the inner workings of this malware family and its infrastructure.
- Andromeda under the microscope
- The Andromeda/Gamarue botnet is on the rise again
- Andromeda Botnet Hides Behind AutoIT
- Andromeda – An attack kill chain analysis
Overall, Andromeda is very modular, and has been responsible for deploying other popular malware families in the past. In previous years, Andromeda was responsible for delivering a number of point of sale (POS) malware families, such as GamaPOS. Additionally, some of the modules loaded by Andromeda perform the following functionality:
- Browser Formgrabber
- Hidden Remote Access
All users should be aware of the Andromeda threat and take the necessary actions to stay protected, especially users in Italy. Users are encouraged to be suspicious of unsolicited emails, and look to ensure that the message sender is legitimate. Additionally, executables provided in email attachments should rarely, if ever, be opened, including those wrapped within a compressed ZIP file.
Palo Alto Networks customers are protected against this threat in the following ways:
An AutoFocus tag exists for the tracking and identification of this malware family.
- All samples encountered within this campaign are correctly identified as malicious by WildFire.
- An IPS rule (Andromeda.Gen Command and Control Traffic) identifies Andromeda-related network traffic.