Breadcrumb navigation

Andromeda Malware Analysis

NEC Security Blog

Aug 23, 2024

Dr. Sareena K P, Dr. Manikantan Srinivasan NEC Corporation India Pvt. Ltd.
Toshiki Takeuchi NEC Corporation

NEC Cyber Intelligence Group usually collects and analyzes cyber threat information and delivers to our customer or colleague. If we discover new threats or techniques that are not listed in MITRE ATT&CK, we report the findings to MITRE. As part of our activities, we also analyze malware. This article shows analysis of Andromeda malware which was added ATT&CK v13.

Andromeda, a common commodity dropper malware in the last decade, has been recently observed across incidents in industries in Ukraine. The dropper also known under the moniker “Gamarue” enables threat actors to create a network of infected computers that become part of Andromeda botnet. Specifically, researchers from Mandiant have reported the activities of Turla team, also known as UNC4210, who have employed Andromeda to selectively deploy the Kopiluwak and Quietcanary payloads to its victims new window[1].

The Mandiant report new window[1] details the payloads (Kopiluwak and Quietcanary), but not the Andromeda dropper, which we cover in this blog. Specifically, we introspect the Andromeda dropper sample and its evasion mechanisms, including software packing, process hollowing and masquerading. This blog is based on the analysis of the Andromeda sample, 9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7 new window[1].

Key findings. Below are the key findings from our study.

  1. Andromeda drops multiple files during its execution, including two encrypted files.
  2. Andromeda employs multiple evasion techniques such as obfuscating the calls to system libraries, detecting debuggers and employing evasive delays.
  3. Andromeda injects malicious code into system processes using the process hollowing technique.
  4. C2 communications are initiated by the target system process (svchost.exe) injected with malicious code.
  5. Difference of behavior across Windows 7 and Windows 10 environment.

Table of Contents

1. Research Methodology

We analyze the sample across different platforms and environments and present our understanding of the malware. The platforms include the malware analysis setup at NEC and third-party analysis frameworks such as JoeSandbox new window[2] and Any.run new window[3]. We analyse the malware on the following environments Windows 10 and Windows 7 operating systems. The analysis performed on these environments is captured in new window[4], new window[5].
While executing, Andromeda crashes abruptly on Windows 10 environment as verified on NEC setup as well as third party sandboxes. Hence, for the discussion in this blog, we rely on the Windows 7 environment. The details of the behavior on Windows 10 environment are presented in Section 4.

2. Behavior of Andromeda Malware

Andromeda packs its malicious code across multiple files that get dropped during its execution. The sample is delivered as Windows Installer, packaged and compressed with Nullsoft Scriptable Install System (NSIS). Extracting the sample using the 7z software reveals its structure and enables us to carve out the files (refer to Figure 1). The timestamp of the samples indicates the year 2013, emphasizing on the strategy of the actors to re-employing the older Andromeda samples. As observed the sample contains one executable named Sahofivizu.exe, 4 DLLs (Gozekeneka.dll, natigezeholi.dll, xuxokuxoka.dll, and Zojemilocan.dll, and an encrypted binary named Yumicebivud.rih).

In total, Andromeda drops 19 files including 4 executables, 8 DLL files, 2 encrypted data files (Yumicebivud.rih, rikayolehofu.Xoc), a file with .bat extension (msoiruj.bat), 3 text files, and one data file. Some files are dropped to the disk during the execution of the sample as shown in Figure 1. These files are deleted subsequently. On the other hand, few others are extracted to the memory and injected into a target process.

Figure 1 The files in the Andromeda sample.

Figure 2 details the process tree of the sample on a Windows 7 environment as it unwinds its malicious behaviour and attempts communication to the command & control (C2)server.

Figure 2 Process tree observed on Windows 7 64-bit environment new window[5].

The Andromeda sample is named Hu25VEa8Dr.exe (PID 2948) in Figure 2. The 8th process (msiexec.exe PID 2948) in the tree, injects the malicious code into svchost.exe. The svchost.exe performs the C2 communications. We discuss the IP addresses and the URLs accessed by the malware in Table 1.

2.1 Behavior Overview

The behaviour of Andromeda sample is shown in Figure 3.
Andromeda sample (Hu25VEa8Dr.exe, PID 2948) invokes the dropped executable Sahofivizu.exe. This newly created process (Sahofivizu.exe, PID 920) first reads and decrypts the Yumicebivud.rih file. Further, it creates an instance of the Hu25VEa8Dr.exe (PID 1724) and injects the decrypted contents of Yumicebivud.rih into it. Hu25VEa8Dr.exe loads the dropped DLLs (refer to Figure 3) via DLL side loading. These DLLs provide helper functionality for the process injection as described below.

Figure 3 The run-time sequences of Andromeda execution as observed in our analysis.

The Fetomekiratu function of Zojemilocan.dll decodes the Yumicebivud.rih file contents. To decode the encrypted contents, the function XORs each double word in the file with contents of the second argument passed to the function.

Finally, bedevahatey function of Nategazoholi.dll injects the Yumicebivud.rih file contents using the process hollowing technique. While the decrypted Yumicebivud.rih file is explained, the process hollowing technique is presented in detail.

The msiexec.exe, which is a Nullsoft Installer self-extracting archive (Figure 7) is invoked thrice in the Andromeda process tree (Refer to Figure 2).

In the first execution (PID 1948), it extracts and drops the following executables and DLLs on the filesystem: Jahulocayedo.dll, rikayolehofu.Xoc, yiduyevytog.dll, Lohonibuhod.exe, Firsozedkami.dll, and naseropuxeq.dll. It creates the Lohonibuhod.exe process in the suspended state and writes the contents of rikayolehofu.Xoc into the memory of the created process. Finally, it resumes the thread of the Lohonibuhod.exe process (PID 1396).

The svchost.exe process (PID 1740) drops the file msoiruj.bat. This file, though named with a .bat extension is a PE 32-bit executable. The MD5 hash of the file is b3657bcfe8240bc0985093a0f8682703, which indicates that it is a copy of the file msiexec.exe. To achieve persistence, the svchost.exe creates a registry key. Also, the file msiexec.exe has the hidden attribute. In repeated executions of the Andromeda sample, we observed different names for the file dropped by svchost.exe, such as msuqox.cmd, msoiruj.bat and msvtym.bat, indicating that the name of dropped file is randomly generated. The file name starts with ‘ms’ (indicating Microsoft) and has an extension similar to Windows files (.cmd or .bat) as an attempt to masquerade and appear as a legitimate Windows file. After the svchost.exe process connects to 3 domains, it communicates withC2 servers.

Network Communications

Check for internet connections

The malware contains logic for Internet connectivity check. For this, it invokes the system calls, socket, getsockname, connect, and closesocket. It attempts to connect to www[.]update[.]microsoft[.]com to test and confirm the Internet connection. Further, these APIs are invoked dynamically, and hence we do not observe these during the static analysis of the malware.

DNS queries

During the malware execution, after the process injection, the system process (C:\Windows\SysWow64\svchost.exe, PID 1740) connects to C2 servers. Andromeda makes multiple DNS queries to 8.8.4.4 and 8.8.8.8 (Refer to Figure 4). The corresponding DNS responses are also given in Table 1.

Figure 4 DNS requests made by Andromeda as observed on Wireshark.

Table 1 Domain queries from the malware, and the latest DNS records. The reputation of these domains in Virustotal in terms of detection by antivirus engines are also specified

Domain queries Antivirus Detection
pe[.]suckmycocklameavindustry[.]in 6/93 detections
img[.]suckmycocklameavindustry[.]in 5/93 detections
sc[.]suckmycocklameavindustry[.]in 6/93 detections
xdqzpbcgrvkj[.]ru 12/93 detections
anam0rph[.]su 9/93 detections
orzdwjtvmein[.]in 6/93 detections
ygiudewsqhct[.]in 8/93 detections
bdcrqgonzmwuehky[.]nl 6/93 detections
somicrososoft[.]ru 13/93 detections

File downloads.

The injected process svchost.exe exhibits functionalities to download files from the Internet. The memory traces indicate the use URLDownloadToFileW, GetTempPathW and GetTempFileNameW.
The svchost.exe downloads files into the %TEMP% directory and C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\.

HTTP Communications

The following URLs were accessed by svchost.exe during the malware executions as observed in our analysis.

Figure 5 and Figure 6 illustrate the HTTP GET and POST requests from the malware. One downloaded HTML included the response that the server is sinkholed(Refers to Figure 8). The other HTML file was empty.

Figure 5 Get Request from Andromeda as observed on Wireshark.
Figure 6 POST requests from Andromeda as observed on Wireshark.
Figure 7 HTTP Sessions as observed on Wireshark.
Figure 8 The domain which has been sinkholed by Kryptos Logic

URLs in memory

Apart from the observable network communications, multiple URLs are observed in the memory during the malware execution and injected code.

Figure 9 URLs which are observed in memory during execution of Andromeda
Figure 10 URLs which are observed in malicious payload

The URLs shown in Figure 9 are not observed the malicious code. Andromeda uses further obfuscated algorithm after process hollowing.

FUN_1001430 function connect the URL of first arguments of function. The path of the URL is used random 32 characters like following

http[://]pe[.]suckmycocklameavindustry[.]in/kyibnsbpivjxirbgrdsdmvblscjxkalm

3. Evasion

Andromeda malware adopts different techniques described below to evade debugging and analysis.

Obfuscating the calls to system libraries

Andromeda obfuscates the calls and use of system libraries by dynamically invoking system APIs. The system call sequence such as CreateProcess, NtUnmapViewOfSection and VirtualAllocEx are indicative of the process injection tactic.

Detecting debuggers

Andromeda also checks if a debugger is running in the system. The traces in Figure 11 shows the invocation of IsDebuggerPresent, GetCurrentProcess and TerminateProcess to terminate the process if a debugger is running on the system.

Figure 11 Anti-debugging technique to detect debuggers observed in our analysis on Joe Sandbox

Evasive delays

The malware invokes the sleep function to introduce delay in execution, probably to evade debugging. We also observed loops in the code of Sahofivizu.exe, which are probably to introduce delays in execution.

Figure 12 Andromeda invokes sleep to introduce delay in execution

4. Difference in Behaviour across Windows 7 and Windows 10

We observe that Andromeda unwinds its malicious behaviour on a Windows 7 64-bit environment, wherein svchost.exe exhibits communication attempts to command & control (C2) server as observed in Figure 2. In contrast, on a Windows 7 32-bit environments new window[3], Andromeda injects malicious code into wuauclt.exe, which in-turn performs the network communications to C&C. As observed, the target process to which the code is injected is different across environments.

On a Windows 10 environment, the malware crashes with an application error and quits execution. The Sahofivizu process terminates abruptly after an access violation error when it tries to access the ReadConsoleInputW. This results in a Windows error reporting and thus Werfault.exe is invoked. This behaviour was consistent on the Windows 10 environment on third party analysis environments as well

5. Conclusion

In this blog, we analysed an Andromeda dropper sample that was employed to drop payloads in attacks last year. The attack showcases the reuse of an older Andromeda sample (of 2013) to drop Kopiluwak and Quietcanary payloads at the target. We presented our analysis of the Andromeda dropper, including its dropped binaries, the evasion techniques it adopts to hinder static analysis, and the process hollowing technique it adopts to inject malicious code into a system process. Finally, we mapped our observations to the MITRE ATT&CK matrix and presented the indicators of compromise observed during our analysis.

References:

Appendix

MITRE ATT&CK Mappings

Table 2  MITRE ATT&CK techniques of Andromeda

Execution Privilege Escalation Persistence Defense Evasion Discovery Command & Control (C2)
Shared Modules (T1129) Process Injection (T1055) Registry Run Keys/Startup Folder Masquerading: Match Legitimate Name or Location (T1036) System Network Connections Discovery (T1049) Application Layer Protocol (T1071)
Native API
(T1106)
Registry Run Keys/Startup Folder
(T1547.001)
  Debugger Evasion (T1622) System Information Discovery (T1082) Ingress Tool Transfer (T1105)
    Obfuscated Files or Information (T1027) Security Software Discovery (T1518.001)  
      Software Packing (T1027.002) Debugger Evasion (T1622)  
      Process Injection (T1055) Query Registry (T1012)  
      System Time Discovery (T1124)  

Command and Control (C2).

  • T1071.001: Application Layer Protocol: Web Protocols
    Andromeda initiates both GET and POST requests via HTTP.
  • T1105: Ingress tool transfer
    The svchost.exe process downloads files via HTTP

Privilege Escalation

  • T1055: Process Injection
    Andromeda contains functionality to inject code to remote processes (CreateProcessA, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext).

Execution

  • T1106: Native API
    The malware has functionality to dynamically invoke API calls using GetProcAddress, GetModuleHandleA, LoadLibrary, and other cryptographic APIs.
  • T1129: Shared Modules
    Sahofivizu.exe invokes shared modules (functionalities in System DLL such as CreateProcess and Loadlibrary) to execute malicious payloads.

Persistence

  • T1547.001: Registry Run Keys / Startup Folder
    The svchost.exe process creates a key under with the below data.
    Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    Data: C:\PROGRA~3\LOCALS~1\Temp\msoiruj.bat

Defense Evasion.

  • T1036 Masquerading: Match Legitimate Name or Location
    Andromeda creates files with names similar to system file names. For instance, C:\Users\IEUser\AppData\Local\Temp\MSI\msiexec.exe, and, C:\ProgramdData\svchost.exe
  • T1622: Debugger evasion
    Andromeda contains capabilities to check if a debugger is running in the system. new windowThe run-time traces show the invocation of IsDebuggerPresent, GetCurrentProcess and TerminateProcess to detect if a debugger is running and terminate accordingly.
  • T1027: Obfuscated files or information
    Sahofiziu.exe obfuscates its code and process hollowing logic by invoking the system APIs dynamically using offset references to the APIs in the systems DLLs.
  • T1027.002: Software Packing
    Andromeda had multiple files packed in it. The code in yumicebivud.rih is in encrypted/obfuscated format. During run-time, the file is decrypted onto memory.
  • T1055: Process Injection
    Andromeda contains functionality to inject malicious code to remote processes (CreateProcessA, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext).

Discovery.

  • T1082: System Information Discovery
    Multiple processes in the process tree (e.g. Sahofivizu.exe, msiexec.exe, Lohonibuhod.exe) attempts to discover system information such as check for supported languages, and read the computer name and machine GUID.
  • T1124: System Time Discovery
    Andromeda contains functionality to query local/system time e.g. GetTickCount
  • T1622: Debugger evasion
    Andromeda contains capabilities to check if a debugger is running in the system. new windowThe run-time traces show the invocation of IsDebuggerPresent, GetCurrentProcess and TerminateProcess to detect if a debugger is running and terminate accordingly.
  • T1057: System Process Discovery
    Andromeda contains functionalities to enumerate processes and threads (Process32FirstW,Process32NextW)
  • T1083: File and Directory Discovery
    Andromeda contains functionality to query local drives (GetDriveTypeW), Check free disk space (GetDiskFreeSpace), and also reads INI files.

IoCs

Table 3.

  IoCs
SHA256 9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
SHA1 c6858031315a50ec87e37966291ec69b64600efb
MD5 bc76bd7b332aa8f6aedbb8e11b7ba9b6
SSDEEP 3072:ugXdZt9P6D3XJ3TCM/vosUE2L/TLqtAyD2XXhtksIae31fXJHhKgzyJtdeV:ue34p/vr6yrC2sJe35ZBKg0dW
TLSH T16B14024364F582BFD6820432D5B92B79D77BCD8D438A7A470B447F21BA318D3C909E8A
Popular threat label on Virustotal trojan.gamarue/nsis
Domains pe[.]suckmycocklameavindustry[.]in
img[.]suckmycocklameavindustry[.]in
sc[.]suckmycocklameavindustry[.]in
xdqzpbcgrvkj[.]ru
anam0rph[.]su
orzdwjtvmein[.]in
ygiudewsqhct[.]in
bdcrqgonzmwuehky[.]nl
somicrososoft[.]ru
URLS http[://]pe[.]suckmycocklameavindustry[.]in/<random 32 string>
http[://]img[.]suckmycocklameavindustry[.]in/<random 32 string>
http[://]sc[.]suckmycocklameavindustry[.]in/<random 32 string>
http[://]xdqzpbcgrvkj[.]ru/in.php
http[://]anam0rph[.]su/in.php
http[://]orzdwjtvmein[.]in/in.php
http[://]ygiudewsqhct[.]in/in.php
http[://]bdcrqgonzmwuehky[.]nl/in.php
http[://]somicrososoft[.]ru/in.php

Profile

Toshiki Takeuchi, CISSP, RISS(Registered Information Security Specialist)
Security Engineering Center, Risk Hunting Analysis Group

Toshiki Takeuchi is engaged in incident response and penetration testing.
His pastime is malware analysis. He holds GIAC(GPEN) and medal of SANS SEC560.

Profile

Dr.Manikantan Srinivasan, CISSP
NEC Open networks Solution and Services (NOSS) Delivery Unit, NEC Corporation India Pvt Ltd.

Dr Manikantan is involved in AI/ML aided 5G and beyond related research, O-RAN alliance architecture based secure 5G solution development, Telecom Security, 3GPP standardization initiatives and Cyber Threat Intelligence related research. He is a NEC Delegate to O-RAN WG11 - Security Working Group and contributes to O-RAN Security standardization. Dr. Manikantan has 24+ years of Industry experience in domain of Communication Networks, Mobile Cellular Networks and Security.

Dr. Manikantan has made several contributions to MITRE ATT&CK since 2021.

Profile

Dr. Sareena Karapoola
Digital Platform Delivery Unit (DPDU), NEC Corporation India Pvt Ltd.

Dr. Sareena is involved in malware analysis, detection engineering, and cyber threat intelligence-related research. Dr. Sareena earned her direct Ph.D. in Computer Science from the Indian Institute of Technology Madras in 2022 in cyber security. Her other research interests include novel AI-based detection and mitigation strategies, real-world testbeds, and labeled datasets for security research. Dr. Sareena has 10+ years of industry experience in embedded products and system software, including smart card readers and access control terminals.