14 DAY TRIAL // An older version of Andromeda botnet malware has been observed by security researchers to deliver a bitcoin mining software to compromised computers.
The reason the cybercriminals do not employ a recent variant of the malware, which is regularly used for distributing banking Trojans or ransomware, is that they managed to bypass its protection, allowing them to use it for whatever purpose they want.
Crackers adjust the code to their own needs
Bitcoin mining is among the least harmful forms of compromise because the goal here is not to steal sensitive information from the machine but to use its resources for forging the digital currency. The effect is a significant decrease in the performance of the system, as the operation is highly resource intensive.
Even if mining for bitcoins is unfeasible on a single machine, by using an entire network of compromised systems, cybercriminals can ensure a hefty revenue stream.
Security researchers at Fortinet say that the build of the Andromeda bot that has been cracked is 2.06, and apart from the ability to spread other botnet malware, it can also download new modules and updates from the command and control server.
When analyzing this variant and comparing it to the original release of Andromeda, they noticed that the crackers added code designed to eliminate the subroutine for encrypting and decrypting certain parts of the code.
One reason for doing this is to have the possibility to update encrypted data, like the command and control (C&C) server address and the key for encrypting the communication.
Life cycle of botnet kits is expanded
The bitcoin mining tool is delivered to the compromised computer through a command from the C&C server that has the threat download the asset from a specific address, under the name ysSync.exe.
Andromeda is a paid bootkit and comes with several base modules for certain activities. However, the underground software development is very active and new plug-ins appear from time to time, improving the capabilities of the malware.
Some of these components are sold for hundreds of dollars and can even be as expensive as $1,000 / €844.
“According to our brief analysis of this cracked version of Andromeda 2.06, we can see that a botnet’s life cycle can be longer than expected. Cybercriminals can buy botnet kits from the underground market, but can also use abnormal ways such as what we have described here - by cracking existing bots,” says He Xu from Fortinet.
