Security Experts:

Connect with us

Hi, what are you looking for?



Authorities Take Down Andromeda Botnet

The Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe managed to dismantle the Andromeda botnet last week.

The Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe managed to dismantle the Andromeda botnet last week.

Also known as Gamarue, Andromeda malware has been around since 2011 and used to ensnare the infected computers into a botnet. The main purpose of this network of infected machines was to distribute other malware families, including the Dridex banking Trojan or point-of-sale (PoS) malware GamaPoS.

In a FortiGuard Labs report detailing the top 5 methods used to attack healthcare in Q4, 2016, Andromeda emerged as the top botnet.

Packing a loader that features virtual machine and debug evasion techniques, Andromeda downloads modules and updates from its command and control (C&C) server. Overall associated with 80 malware families, the threat was detected on or blocked on an average of over 1 million computers every month for the past six months.

The takedown, a joint effort from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners, was performed on November 29.

The operation was the result of information gathered following last year’s shut down of a large criminal network known as Avalanche, a platform used for mass global malware attacks and money mule recruiting. Andromeda was also used in the Avalanche network.

“Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week,” a Europol announcement reads.

Investigators focused on taking down servers and domains used to spread the Andromeda malware and resulted in the sinkholing of 1500 domains. 48 hours of sinkholing resulted in around 2 million unique Andromeda victim IP addresses from 223 countries being captured.

The takedown operation also included the search and arrest of a suspect in Belarus.

The investigators also decided to extend the sinkhole measures of the Avalanche case for another year, as globally 55% of the computers originally infected in Avalanche continue to be infected.

The measures to combat Andromeda and Avalanche involved the following countries: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, Australia, Belarus, Canada, Montenegro, Singapore, and Taiwan.

Private and institutional partners involved in the takedown include: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI). 

“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us,” Steven Wilson, the Head of Europol’s European Cybercrime Centre, said.

Related: Global Police Smash Huge Online Crime Network: Europol

Related: These Were the Top Threats Targeting Healthcare Firms in Q4 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...