CERT-PH monitored a malware infiltration (Trojan/Botnet) infecting government and academe sectors. The malware mainly targets the Windows operating system, which is exploited to establish a network of compromised computers. These infected machines are then incorporated into the Andromeda Botnet, which enables the distribution of various other malware families associated with Andromeda.

A. Nature of the Malware

Andromeda is a dangerous Trojan horse with multiple malicious capabilities. Once it infects a system, it takes control and noticeably slows down the computer’s performance. It can introduce additional malware, update, disable, remove, and execute other malicious tasks on the compromised machine. Andromeda establishes encrypted communication with its command and control (C&C) server using the RC4 algorithm. This enables to carry out unauthorized actions, steal sensitive information, and transmit it to the Command-and-Control (C&C) server. By employing a Domain Generation Algorithm, the malware can communicate with its C&C and potentially add the victim’s machine to a botnet.

B. Indicators of Compromise

Please see file below for the indicators of compromise.

C. Recommendations

It is crucial to pinpoint the point of entry that the threat actor used to deploy the malicious software. This is to strengthen security measures, address vulnerabilities, and prevent future incidents within the organization’s assets, systems, and network.

With this, CERT-PH recommends the following:

  • Identify and isolate the affected asset to prevent spreading of the malware.
  • Acquire and review security appliance logs and monitor outgoing traffic from the affected asset. This is to identify point of entry of the threat actor.
  • Identify if there are other asset affected.
  • Use a reliable antivirus and run a scan to detect and remove the malicious software.
  • Block the malicious external IP addresses and other malicious IP addresses on your network.
  • Reverse malware’s system changes: delete files, revert registry, and restore components to mitigate malware’s impact.

Additional Countermeasures To Avoid Future Malware Infiltration:

  • Educate employees about safe browsing habits, importance of avoiding and downloading applications to untrusted sources (downloading pirated software, downloading/opening attachments received in email).
  • Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
  • Activate built-in security features on endpoint devices which scan applications for malware.
  • Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection and response solution and anti-malware software.
  • Enforce a strong password policy, implement regular password changes and not using default login credentials.
  • Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.