by Seth Elo
We are no strangers to online code repositories and social media being abused for malicious intents. Attackers will use services like these in hopes to make their malware harder to detect, easier to manage, and give their bot’s C2 communications a lower chance of being blocked.
Recently, RA Labs found a novel implementation of these practices. We discovered a script kiddie abusing SourceForge to host a full fledged panel for the Andromeda botnet.
The panel’s gateway was discovered at http://antonio24[.]sourceforge[.]net/andr/image.php via this sample. The command and control is a default install of the Andromeda panel. A key indicator of this was the sample using Andromeda’s default RC4 key for communicating with its servers. Other indicators were the download of ‘pack’ files from the domain. These pack files are associated as modules to increase the capabilities of the Andromeda botnet by allowing the malware to grab form posts, applies a rootkit to the machine, and open a SOCKS4 proxy.
Andromeda is a botnet that is designed to use different modules to accomplish various tasks for the bot herder. Andromeda has been used in the past to steal credentials from users, download other malware, and log keystrokes. Its capabilities are up to the availability of modules. For further reading on Andromeda, Avast has written a detailed report that can be read here: https://blog.avast.com/andromeda-under-the-microscope
While this may not be overly sophisticated, it was quite an interesting find and a good reminder that legitimate services are often abused for malicious intents.
Indicators of Compromise: URLs: http://antonio24[.]sourceforge.net/andr/image.php (Check-in/Beacon)http://antonio24[.]sourceforge.net/andr/f.pack (Andromeda Module Pack)http://antonio24[.]sourceforge.net/andr/r.pack (Andromeda Module Pack)http://antonio24[.]sourceforge.net/andr/s.pack (Andromeda Module Pack)
File Hashes (SHA-256): Andromeda Sample: 36693f8ce896c304bf679c2c7399cb7805f896a430b15c07129eef3a68d1b2b7
Andromeda Module Packs: Bab1bd5e75f743dec562e94d644150343e42888bb3035053e7bd4ab8dfda581b 16a4db7f6de87391798a53ff0e1b06ed3f33b84860627a7e418aa90a2f8a9723 7664f5915e0fe8fe5179ea8a3824e542b734a8212c498e39aabac83c268e4f91
Malicious shell script from Antonio24’s sourceforge site: 6d0b265f6f671bc7ae8e287ee33712b374d8e68327867fe18bc372a8c2f63695