Fake Qantas Spam Campaign Leads to Andromeda Bot Infection

If you have booked a flight from Qantas recently, you might be expecting a bookingconfirmation in your email inbox. Be wary however, because there areopportunist cyber crooks that spam out fake Qantas booking receipts. Thismalicious spam has been actively sent bythe Cutwail botnet in the last few days.

Sample email
A spoofed email notification claiming to come from booking@qantas.com.au.
The attachment ZIP file contains an executable of anAndromeda bot loader or also known as the Gamarue Trojan. Andromeda is amodularized cybercriminal's kit that can be purchased from underground hacker forums. The functionalityof this bot can be expanded by adding plugins like form grabbing, rootkit,proxy capabilities and key loggers.

When run, the malware drops a file in the infected system:

%AllUsersProfile%\<MalwareName>.exe (e.g.C:\Documents and Settings\All Users\dxssogpn.exe)

Italso creates an autorun registry to ensure execution after Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSunJavaUpdateSched = "C:\Documents and Settings\All Users\<MalwareName>.exe"
Aregistry is also created to add the Trojan in the Windows firewall exceptionlist:
HKEY_LOCAL_MACHINE\SSYTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListC:\Documents and Settings\All Users\<MalwareName> = "C:\Documents and Settings\All Users\<MalwareName>.exe:*:Enabled:<MalwareName>"

It then executes a legitimate Windows file MSIEXEC.EXE andinjects itself to that process.

2

The Trojan phones home to its command and control server andthen sends and receives encrypted data:

3

Afterwards, It downloads an additional malicious executablefile which in this case is a Zbot Trojan, a notorious Trojan that is capable ofstealing banking information.

4

The Andromeda bot behaves differently in a monitored anddebugged environment. It utilizesseveral anti-debugging and anti-VM (virtual machine) techniques. When itencounter that it's being debugged, it connects to TCP/IP address 0.0.0.0 andlistens to port 8000, after which, it runs a new instance of CMD.EXE.

5
6

It maylook like it opens a backdoor at port 8000 but this just a trickto confuse malware analysts.

Cybercriminals have been actively spamming out Andromedaloaders for the past year.The spam themes vary from flight, courier, tax, hotel, payroll, invoice, socialmedia and among others. Most of the time the spam campaigns are very legitimatelooking. It may be hard to spot whether it's a malicious email. But if you are cautious,you will easily tell a legitimate and a fake email. If you are technicalenough, you may want to check if the attachment is an executable file, howeverfor most people this may be too hard. Just be distrustful when you seeunsolicited email in your inbox especially if you do not expect it. You canverify the sender but if you can't, just delete it and you should be fine. Andalso, avoid clicking on links in the email.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.