On June 30, 2016, Cyphort Labs discovered an infection via malvertising on the website trendystyleshop.com. According to Domain Tools, the site was registered in February 2016 under namecheap.com. What draw our interest to this infection is that it installs TeamViewer, a popular remote application tool which is widely used in enterprises. It makes sense for cyber criminals to use it because it is a good way to masquerade backdoor access as it blends with other users using the same app. You probably recall that a month ago a major hack of TeamViewer accounts was reported on various news outlets.

Infection Chain

The affected ad network is “nanoadexchange.com”. It advertises a game from “uphillrush.pro” but the ad is injected with an iframe that redirects to “aga111.pro” then redirects to “jnqedq.lswswc.xyz” which is hosting a Flash exploit kit.

chain

 

After successful exploitation, it downloads an Andromeda bot from the same domain. The binary arrives encrypted over the network. 

The bot is installed in the %APPDATA% folder and filename starting with ms*.exe. Example:

  • %APPDATA%\msqgoj.exe

As a persistence method, it will spawn a new process of “msiexec.exe” and inject its code. However, it will not install itself if the following processes are found as part of its Anti-Sandbox and Anti-Analysis trick:

  • avpui.exe
  • filemon.exe
  • netmon.exe  
  • perl.exe
  • prl_cc.exe
  • prl_tools.exe
  • prl_tools_service.exe
  • procmon.exe
  • python.exe
  • regmon.exe  
  • sandboxiedcomlaunch.exe
  • sandboxierpcss.exe  
  • sharedintapp.exe
  • vboxservice.exe  
  • vboxtray.exe  
  • vmsrvc.exe  
  • vmtoolsd.exe  
  • vmusrvc.exe  
  • vmwareservice.exe
  • vmwareuser.exe  
  • wireshark.exe

However, it ignores the process blacklisting check when the following registry key is present:

  • HKLM \ SOFTWARE\Policies\is_not_vm

Andromeda has been around since 2011. It is a modular type of malware with the following known types:

  • Keylogger
  • Browser Form Grabber
  • Hidden TeamViewer
  • Rootkit

For this infection, we have seen it installing additional modules from vbbb.ru including Browser Form Grabber and Hidden TeamViewer. 

modules

 

The above image shows the communication to the CnC server. Bmla.ru is encrypted via RC4 where the key is hardcoded in the malware body. Download domain is at vbbb.ru but both are with the same IP address, 93.170.187.47.

As part of its routine, Andromeda gets the current time via NTP (Network Time Protocol) domains. It connects to the following NTP domains:

  • pool.ntp.org
  • africa.pool.ntp.org
  • oceania.pool.ntp.org
  • asia.pool.ntp.org
  • south-america.pool.ntp.org
  • north-america.pool.ntp.org
  • europe.pool.ntp.org

 

Is Andromeda On the Rise Again?

Using the IP of the CnC 93.170.187.47, we gathered some domains resolved from it. We found that it is actively using the .ru TLD with 4 random letters as domain and usually having the last 3 letters the same. It also shows that this pattern has been active since April 10, 2016.

 
IP Domain Date Resolution Country
93.170.187.47 fghd.ru 2016-07-04 Czech Republic
  fghf.ru 2016-07-04  
  vbbb.ru 2016-06-27  
  bmlc.ru 2016-06-24  
  bmla.ru 2016-06-23  
  zvvv.ru 2016-06-21  
  unnn.ru 2016-06-20  
5.8.63.35 zvvv.ru 2016-06-18 Russia
  vbbb.ru 2016-06-02  
  acpf.ru 2016-06-03  
  unnn.ru 2016-06-01  
  aqqq.ru 2016-06-01  
  zggg.ru 2016-05-31  
95.213.192.70 dqqq.ru 2016-05-18 Russia
  aqqq.ru 2016-05-18  
  cqqq.ru 2016-05-18  
  zggg.ru 2016-04-10  
  zhhh.ru 2016-04-10  
  zkkk.ru 2016-04-10  
  znnn.ru 2016-04-10  
  zvvv.ru 2016-04-10  
       

Source: virustotal.com

We also discovered that one of the IPs used by Andromeda is actively used by Cerber ransomware, a ransomware infection used to encrypt  that . For instance, znnn.ru was registered with the following IP addresses sometime in May 2016.

IP Cerber CnC Date
31.184.233.109 cerberhhyed5frqa.amdeu5.win 2016-05-31
  cerberhhyed5frqa.maqwe5.win 2016-05-26
  cerberhhyed5frqa.nerti5.win 2016-05-29
  cerberhhyed5frqa.tewoaq.win 2016-05-26
176.103.56.12 cerberhhyed5frqa.ti4wic.win 2016-05-23
  cerberhhyed5frqa.workju.win 2016-05-26
  cerberhhyed5frqa.red4is.win 2016-05-24

It is unclear to us how the installation of TeamViewer is being exploited at this time by the actors behind this campaign, but it clearly is a major compromise that opens the door to a lot of possibilities. Cyphort Labs will continue to monitor and report any new developments.

IOCs

Md5 Path Description
e9f3c513861a70b568d61f80b719e0ca %appdata%\ms*.exe Andromeda Bot
45959b3d2bde20435a9aeed861046506 %TEMP%\msiexec.exe Team Viewer Module
36effd0f31f11de9cc01a358d37036c4 %TEMP%\KB*.exe  

 

IP Address
93.170.187.47
5.8.63.35
95.213.192.70
31.184.233.109
176.103.56.12