Summary:
Cybereason Security Services has identified a new cluster of Command and Control (C2) servers associated with the Andromeda/Gamarue malware, which is targeting manufacturing and logistics companies in the APAC region. The investigation revealed the use of infected USB drives as the initial infection vector, leading to industrial espionage activities. Recommendations for protection against these threats have been provided.
#Andromeda #CyberEspionage #C2Servers
Cybereason Security Services has identified a new cluster of Command and Control (C2) servers associated with the Andromeda/Gamarue malware, which is targeting manufacturing and logistics companies in the APAC region. The investigation revealed the use of infected USB drives as the initial infection vector, leading to industrial espionage activities. Recommendations for protection against these threats have been provided.
#Andromeda #CyberEspionage #C2Servers
Keypoints:
- Discovery of a new Andromeda cluster of C2 servers.
- Targeting of manufacturing and logistics companies in the APAC region.
- Suspected motive of industrial espionage.
- Initial infection vector identified as infected USB drives.
- Malware capable of downloading additional malware and stealing sensitive information.
- Multiple malicious files and processes detected in the victim environment.
- Recommendations for enhancing security measures against the identified threats.
MITRE Techniques
- Initial Access (T1091): Utilizes removable media for infection.
- Execution (T1204.002): User execution of malicious files through LNK shortcuts.
- Execution (T1055.001): Process injection via dynamic-link library injection.
- Execution (T1059): Command and scripting interpreter usage.
- Persistence (T1547.009): Shortcut modification for boot or logon autostart execution.
- Persistence (T1543.003): Creation or modification of system processes, such as Windows services.
- Persistence (T1129): Use of shared modules for persistence.
- Defense Evasion (T1036.003): Masquerading by renaming system utilities.
- Defense Evasion (T1027.002): Software packing to obfuscate files.
- Defense Evasion (T1112): Modification of the registry for stealth.
- Defense Evasion (T1036.004): Masquerading as tasks or services.
- Command and Control (T1071.001): Utilizes web protocols for application layer communication.
IoC:
- [File Name] desktop.ini
- [File Hash] 274c2facba9d04e1f3cbf31528af0ac162da5db7
- [File Name] trustedinstaller.exe
- [File Hash] 2620d60d8283936d6671713477cdd9ae2e28eb1b
- [File Name] huzevusuqig.exe
- [File Hash] c20c26d9f4f9bff3cf4c29b5c1c30252d938eddb
- [Domain] suckmycocklameavindustry[.]in
- [IP Address] 34.29.71.138
- [Domain] deltaheavy[.]ru
- [IP Address] 104.198.2.251
- [IP Address] 184.105.192.2
- [IP Address] 35.204.181.10
- [File Name] googlechrome.exe
- [File Hash] cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
- [File Name] googlechrome.a3x
- [File Hash] 6dc84c457ea8f5ff29fbd1c6c968e3ffa53f7870
Full Research: https://www.cybereason.com/blog/new-cluster-andromeda-gamrue-c2