In a fresh revelation by the Cybereason Security Services Team, a new wave of attacks linked to the notorious Andromeda malware has been uncovered, focusing on manufacturing and logistics sectors in the Asia-Pacific (APAC) region. This decades-old malware, first detected in 2011, continues to evolve, proving itself as a relentless tool in the cybercriminal arsenal.
Known for its modular nature, Andromeda has long been a favorite for hackers due to its versatility. Historically spread through malicious email attachments, infected USB drives, and secondary payloads, the malware is now leveraging more sophisticated techniques to wreak havoc. Once installed, Andromeda’s capabilities include stealing sensitive data, such as passwords, creating backdoor access, and downloading additional malware, making it a multipurpose threat for industrial espionage.
One of its standout features is its use of “USB drop attacks.” Compromised USB drives can execute malicious files automatically, infecting systems upon connection. The malware’s disguise game is strong—DLLs with inconspicuous names like “~$W*.USBDrv” and “~$W*.FAT32” are loaded using rundll32.exe to fly under the radar.
Additionally, “desktop.ini” files, typically seen as harmless system files, are being weaponized to trigger the malware’s activities.
A critical part of Andromeda’s resurgence lies in its advanced command-and-control (C2) infrastructure. During Cybereason’s investigation, one such C2 domain, suckmycocklameavindustry[.]in, demonstrated agility by resolving to multiple IP addresses, ensuring constant communication between infected systems and the threat operators.
The attackers also use WebDAV exploitation to download these malicious payloads. Their tactics highlight the ongoing evolution of Andromeda, as it adapts to modern cybersecurity challenges.
Cybereason’s investigation suggests that this campaign may be tied to the infamous Turla group, also known as UNC4210. It also indicates that an older Andromeda sample may have been hijacked and repurposed by the group, further complicating attribution.
The ultimate target of these attacks appears to be industrial espionage. Manufacturing and logistics companies in the APAC region are being infiltrated to steal valuable data, disrupt operations, and potentially execute further malicious actions. The campaign underscores the ongoing risks faced by industries heavily reliant on supply chains and operational technology.
