• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Gamarue Malware Goes to Germany

Gamarue Malware Goes to Germany

  • Posted on:October 29, 2012 at 1:07 pm
  • Posted in:Malware, Spam
  • Author:
    Jessa De La Torre (Senior Threat Researcher)
0

The hotel booking spam recently reported has made its way into German users’ inboxes. The email purporting to be from one of the Brenners Park-Hotel and Spa in Austria has a similar theme to its English counterpart as it contains confirmation and details on an alleged booking reservation.

The email sample above was sent to a personal email address of one of Trend Micro’s managers. He almost fell for it, given that he travels a lot – until he noticed the address of the hotel.

It’s too bad the spammers aren’t as good with geography as making spam: the actual Brenners Park-Hotel and Spa is in Baden-Baden Germany and not in Austria. While he was initially looking forward to attending the hotel, having read the excellent reviews on TripAdvisor, the email made it clear that this was, unfortunately, a scam. Good thing though, the attachment was already flagged and detected by Trend Micro as BKDR_ANDROM.P.

Technical Details: Network

The payload (email attachment) is a variant of the Gamarue/Andromeda bot that connects to any of the 6 C&C servers below. A typical Andromeda bot limits the number of domains to 6:

  • http://{BLOCKED}dia.pl/image.php
  • http://{BLOCKED}e.pl/image.php
  • http://{BLOCKED}ke.ru/image.php
  • http://{BLOCKED}e.pl/image.php
  • http://{BLOCKED}rm.ru/image.php
  • http://{BLOCKED{ve.com/image.php

These are all fast-flux domains and with the exception of {BLOCKED}dia.pl, the rest of the servers seem to be offline/inactive. Initial communication is established by sending an encrypted POST request to the server.

A decrypted message would include the volume serial ID (which also acts as a decryption key), OS version, bot ID and socket name. In the image above, the server replied with a link to download one of its plugins r.pack. The domain hosting the file seems to be a compromised Australian health site.

Further investigation showed that {BLOCKED}dia.pl shared an IP address with other .pl domains and some of them were known servers of other botnets. All of these were registered under:

REGISTRAR:
Domain Silver Inc.
1st Floor, Sham-Peng-Tong
Plaza Building, Victoria, Mahe
Seychelles
e-mail:
tel.: +1.3236524343

Considering the high cost of acquiring and maintaining a “.pl” domain from DomainSilver, we are wondering why there are a slew of bad domains under this registrar.This is possibly because these domains have been operated by the same bad actor or the administrator of this registrar is simply not that strict on abuse.

Trend Micro contacted our friends in CERT.PL who were very quick in taking down the {BLOCKED}dia.pl domain, so it is now also inactive.

Technical Details: Malware

The tool/bot used in this spam run is Gamarue or Andromeda (the bot’s actual name). Like the major bots in the market, Gamarue is modularized and buyers can opt to encrypt/protect their bots by using available crypting services. In this instance, the malware is encrypted to prevent it from running in a sandboxed/debugged environment by using several anti-VM techniques, which includes checking the CPU cycles, disk names, and running processes.

It also works in a 32-bit as well as a 64-bit Windows environment from Windows XP to Windows 7. The environment is determined by calling the isWow64Process API and the processes the file can be injected to the following:

  • %System%\wuauclt.exe – 32-bit
  • %Windows%\SysWOW64\svchost.exe – 64-bit

Aside from downloading files, this module is also capable of modifying registries, executing files and connecting to other URLs.

Technical Details: Infection

Given the obvious connection to Germany and Australia, it isn’t hard to guess that they were the most affected by this spam run. The graph below depicts the region/countries affected by this spam.

Trend Micro Smart Protection Network already blocks the related domains and links, as well as block the particular email from even reaching users’ inboxes. It also detects and deletes the files as BKDR_ANDROM.P.

With additional analysis from Feike Hacquebord and Robert Mcardle

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.