Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.
The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.
Our analysis of more than 44,000 malware samples uncovered Gamarue’s sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:
- 1,214 domains and IP addresses of the botnet’s command and control servers
- 464 distinct botnets
- More than 80 associated malware families
The coordinated global operation resulted in the takedown of the botnet’s servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:
- Petya and Cerber ransomware
- Kasidet malware (also known as Neutrino bot), which is used for DDoS attacks
- Lethic, a spam bot
- Info-stealing malware Ursnif, Carberp, and Fareit, among others
A global malware operation
For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarue’s global prevalence.
https://blogs.technet.microsoft.com/...rue-andromeda/