Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake Qantas Spam Campaign Leads to Andromeda Bot Infection

If you have booked a flight from Qantas recently, you might be expecting a booking confirmation in your email inbox. Be wary however, because there are opportunist cyber crooks that spam out fake Qantas booking receipts. This malicious spam has been actively sent by the Cutwail botnet in the last few days.

10071_79e94c11-224b-4479-8916-b367cdf68ce8
A spoofed email notification claiming to come from booking@qantas.com.au.

The attachment ZIP file contains an executable of an Andromeda bot loader or also known as the Gamarue Trojan. Andromeda is a modularized cybercriminal's kit that can be purchased from underground hacker forums. The functionality of this bot can be expanded by adding plugins like form grabbing, rootkit, proxy capabilities and key loggers.

When run, the malware drops a file in the infected system:

%AllUsersProfile%\<MalwareName>.exe (e.g.C:\Documents and Settings\All Users\dxssogpn.exe)

Italso creates an autorun registry to ensure execution after Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSunJavaUpdateSched = "C:\Documents and Settings\All Users\<MalwareName>.exe"

Aregistry is also created to add the Trojan in the Windows firewall exceptionlist:

HKEY_LOCAL_MACHINE\SSYTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListC:\Documents and Settings\All Users\<MalwareName> = "C:\Documents and Settings\All Users\<MalwareName>.exe:*:Enabled:<MalwareName>"

It then executes a legitimate Windows file MSIEXEC.EXE and injects itself to that process.

9222_4ef827bf-7f1e-4995-8506-b1c04f03f2d0

The Trojan phones home to its command and control server and then sends and receives encrypted data:

9443_59fe5ffe-5604-4b38-8a12-b9bb7658463f

Afterwards, It downloads an additional malicious executable file which in this case is a Zbot Trojan, a notorious Trojan that is capable of stealing banking information.

11665_c490a4f0-8b21-4d7b-a43f-f43751d412f8

The Andromeda bot behaves differently in a monitored and debugged environment. It utilizes several anti-debugging and anti-VM (virtual machine) techniques. When it encounter that it's being debugged, it connects to TCP/IP address 0.0.0.0 and listens to port 8000, after which, it runs a new instance of CMD.EXE.

10138_7b5618be-3347-4fa2-b091-bbebb867818b
8483_2b650b7f-3e69-4f26-876a-f611bbbebb00

It may look like it opens a backdoor at port 8000 but this just a trick to confuse malware analysts.

Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others. Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it's a malicious email. But if you are cautious, you will easily tell a legitimate and a fake email. If you are technical enough, you may want to check if the attachment is an executable file, however for most people this may be too hard. Just be distrustful when you see unsolicited email in your inbox especially if you do not expect it. You can verify the sender but if you can't, just delete it and you should be fine. And also, avoid clicking on links in the email.

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More