Defending Against Silent and Insidious Cyber Threats: The Return of Avalanche/Andromeda

We're not talking about a science fiction movie but ever-evolving cyber threats, and two names that might raise concerns are Avalanche/Andromeda and Nymaim. In this article, we'll explore what these entities are and the risks they pose to online security.

Avalanche/Andromeda: A Dangerous Botnet Infrastructure

What is Avalanche?

Avalanche was an extensive botnet network used to spread malware massively. Among its victims are numerous infected computers worldwide.

Andromeda: The Underlying Malware

Andromeda is one of the malware distributed through the Avalanche network. It acts as a remote control mechanism, allowing the creators of this threat to take over infected computers and use them as part of a botnet.

Nymaim: A Downloader for Other Threats

What is Nymaim?

Nymaim is a type of malware known as a "downloader." Its main function is to download and install additional malware on the infected system. It acts as a kind of "gateway" for other harmful threats.

IP address 54.36.148.35 has been included in the exploits blocklist (XBL) due to a malware infection. In particular, it appears that the machine associated with that IP address is infected with malware from the Avalanche/Andromeda family, in this specific case, the malware is Nymaim.

The advisory also provides further details about the Andromeda/Avalanche malware family and suggests that, despite the botnet's closure in 2016, the associated malware is still active.

Finally, it is recommended to take action to address the issue. If it's a shared server, contacting the hosting company or ISP is advised. It is emphasized that the machine is still infected, and preventive and corrective actions are recommended to stop listings and protect the network, websites, devices, and data.

Spamhaus.org Alert

Spamhaus.org, an online security service, has detected an IP address (54.36.148.35) associated with a malware infection of the Avalanche/Andromeda family, particularly Nymaim. The IP has been included in the exploits blocklist (XBL) due to suspicious activity.

Technical analysis shows that the computer associated with this IP has initiated a connection with a Nymaim command and control server, indicating malicious activity. The infection was last detected on December 21, 2023, at 22:58:11 UTC.

What to Do in Case of Infection

If your server is involved, it is advisable to contact the hosting provider or ISP immediately. The infection persists, and the presence of multiple types of malware is likely. To protect your network, websites, devices, and data, taking preventive and corrective actions is recommended.

Online threats are real, but being aware and acting promptly can significantly reduce risks. Keep your software up to date, use reliable antivirus solutions, and stay informed about the latest cyber threats.

Reported Operational Mode

The technical step you provided describes a specific event related to the detection of the Nymaim malware. Let's explain it more simply:

1. Who is involved:

   • Source IP address: 54.36.148.35
   • Source port: 30223
   • Destination IP address: 216.218.185.162
   • Destination port: 80

2. What happened:

   • The machine with IP address 54.36.148.35 initiated a connection via TCP (Transmission Control Protocol) to another IP address, 216.218.185.162.
   • This connection was established from source port 30223 on the source machine to destination port 80 on the destination machine.

3. Sinkhole IP:

   • The term "sinkhole" is often used in cybersecurity to indicate a server or device intentionally configured to collect and intercept malicious traffic.
   • In the specific context, IP address 216.218.185.162 is the sinkhole. The infected machine (54.36.148.35) is attempting to communicate with the sinkhole on port 80.

Who and What

1. Malware associated with Andromeda/Avalanche:

   • Andromeda: It is the name of one of the main malware associated with this botnet network. This malware could infect computers and allow its creator to control the infected machines.
   • Win3/Dofoil, Gamarue, Smoke Loader, W32/Zurgop.BK!tr.dldr: These are names of different malware families associated with Andromeda/Avalanche. Each of these families may have different purposes, such as stealing information, distributing other malware, or remotely controlling infected computers.

2. Botnets used through the Avalanche infrastructure:

   • The Avalanche infrastructure was not limited to a single botnet. It was also involved in providing command and control communications for other botnets. These include:
     • TeslaCrypt, Nymaim, Corebot, GetTiny, Matsnu, Rovnix, Urlzone, QakBot, etc.: These are names of other botnets using the same command and control infrastructure provided by Avalanche. Each of these botnets may have specific goals, such as distributing ransomware, malware downloaders, or other malicious activities.

3. Botnet Closure:

   • In 2016, coordinated efforts from authorities and security companies led to the closure of the Avalanche/Avalanche botnet infrastructure. However, it's important to note that the malware associated with this botnet remains active. Even though the main infrastructure has been dismantled, the previously distributed malicious code may still be in circulation, and new variants or related threats may emerge over time.

In essence, the infected machine attempted to establish a connection with a sinkhole IP on port 80. This could be part of an attempt at control by the Nymaim malware, where the sinkhole can be configured to monitor and block malicious activities from compromised systems.

The fact that this was detected indicates that the system with IP 54.36.148.35 might be compromised or infected with malware, and the attempt to connect to the sinkhole is suspicious behavior that requires attention and corrective actions.

Technical Glossary:

• Botnet: A network of infected computers, known as "bots," controlled by a central command. They can be used to carry out harmful actions under the control of the botnet creator.
• Malware: Short for "malicious software," it refers to software designed to damage or compromise a system, such as viruses, worms, trojans, etc.
• Botnet Infrastructure: The set of servers and devices used to manage a botnet, coordinating the activities of bots distributed on infected computers.
• Remote Control (C&C): A mechanism that allows an attacker to control a system or network remotely, often through a secure connection.
• Downloader: A type of malware specialized in distributing additional threats. It acts as a "gateway" for other malware by downloading and installing them on the infected system.
• Exploits Blocklist (XBL): A list identifying IP addresses associated with malicious behaviors or malware infections. It is used to prevent such addresses from accessing specific services or online resources.
• Sinkhole: A server or device intentionally configured to intercept and monitor malicious traffic, often used to mitigate botnet activity.
• IP (Internet Protocol) Address: A unique identifier assigned to a device connected to a network. It consists of a series of numbers separated by dots.
• Ransomware: A type of malware that encrypts data on the infected computer and demands a ransom to restore access.
• Port (in the context of TCP/UDP): An identification number associated with a data stream within a network connection. For example, port 80 is often used for web communications.
• Technical Analysis: A detailed investigation of computer events or behaviors to understand the nature and origin of threats.
• Hosting Provider: A company that provides server space and associated services to host websites and online applications.
• ISP (Internet Service Provider): A company that provides internet access and other connectivity services.
• Check.spamhaus.org: An online security service that monitors and identifies IP addresses associated with cyber threats, including botnets and malware.
• UTC (Coordinated Universal Time): The reference time zone used as the basis for Coordinated Universal Time, often used in computer contexts to standardize time reference.
• Coordination of Authorities: Organized efforts by government agencies or security entities to combat cyber threats, such as botnet closures.
• TeslaCrypt: A type of ransomware malware designed to encrypt data on infected computers and demand a ransom to restore file access.
• Nymaim: A malware downloader known for its ability to download and install additional threats on infected systems.
• Corebot: A type of malware known for stealing sensitive information, such as login credentials and financial data.
• GetTiny: Malware known for its ability to perform malicious actions on infected systems, often used as part of larger attacks.
• Matsnu: Malware with backdoor functions, allowing the attacker to control the infected system remotely.
• Rovnix: A type of malware that can be used as a rootkit, hidden in the system to avoid detection.
• Urlzone: A banking trojan designed to steal financial information, particularly during online transactions.
• QakBot: Malware known for stealing information, especially login credentials and financial information.