Andromeda, one of the longest running malware families, came to a halt last week, law enforcement officials said.
Andromeda, also known as Gamarue, would end up distributed by other malware families, said Microsoft officials.
Andromeda was associated with 80 malware families and, in the last six months, it was detected on or blocked an average of over 1 million machines every month, said officials at the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners.
This latest takedown all started just about a year ago, when officials found Andromeda was also a part of the Avalanche network, which was dismantled in a huge international cyber operation.
“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale,” said Steven Wilson, the head of Europol’s European Cybercrime Centre.
On November 30 last year, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, dismantled the international criminal infrastructure Avalanche.
This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns.
Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week.
The international partners took action against servers and domains used to spread the Andromeda malware. Overall, 1,500 domains of the malicious software were subject to sinkholing. According to Microsoft, during 48 hours of sinkholing, 2 million unique Andromeda victim IP addresses from 223 countries ended up confiscated. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus.
Simultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. An extension of this measure was necessary, as globally 55 percent of the computer systems originally infected in Avalanche are still infected today.
The measures to combat the Andromeda software as well as the extension of the Avalanche measures involved the following EU member states: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, and the following non-EU member states: Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.
The operation was supported by the following private and institutional partners: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).