One of the oldest and widespread botnets in history was shut down last week in an international law enforcement operation led by the FBI. The malware’s infrastructure behind Andromeda was dismantled and one unidentified suspected hacker was arrested in Belarus, according to Europol.
First launched in 2011, Andromeda was detected on an average of one million machines every month in the last six months, according to Microsoft. The malware was behind one of the top spam campaigns of 2016, associated with as many as 80 malware families and frequently found on compromised websites and advertising networks.
Most notably, Andromeda was used by the Avalanche criminal hacking and fraud network, a global operation illegally bringing in millions of dollars per year until a bust last year.
“Andromeda malware has very long history,” researchers at the cybersecurity firm Avast wrote last year. “The authors are skilled programmers and operators, recently updating plugins, maintaining entire systems and looking for new infected domains with exploit kits.”
Beginning on November 29, law enforcement and cooperating tech companies including Microsoft took action against the servers and domains that were Andromeda’s infrastructure. In 48 hours, two million unique Andromeda victim IP addresses from 223 countries were captured, according to Europol.
Approximately 1,500 domains were sinkholed, a tactic to break the link between hackers and the computers they infect.
Also known as Gamarue, Andromeda was continuously updated so that new variants regularly appeared and spread infection around the world. The software is modular, so it can be updated through plugins like keyloggers, browser Formgrabbers, rootkits and remote controls.
Users bought access on criminal cybercrime markets as the software evolved to make security analysis more difficult. The software’s price could reach as low as $5.
In recent years, the software’s authors targeted the payment card industry in the United States, a potentially lucrative line of business for a persistent group of hackers. According to Trend Micro, dozens of American businesses were successfully infected.
A person in Belarus was also arrested in accordance with the takedown, however few details were given about the arrest.