Andromeda Gamarue Botnet Gets An Update

Recently I saw some spam emails exploiting an adobe PDF vulnerability ( thanks to Conrad Longmore ( https://twitter.com/ConradLongmore) )

upload.jpg

This PDF file seems to be exploiting CVE-2013-2729 vulnerability. The shellcode is small and simple . It just downloads the file from a server and executes it .

upload.jpg

After unpacking the file , analysis reveal that this is a new update for Andromeda - Gamarue botnet . The version is upgraded to 2.9 . Although there is no significant change in the Botnet , the version number from the request string has been removed

upload.jpg

upload.jpg

Raashid Bhat

http://twitter.com/raashidbhatt

 
32
Kudos
 
32
Kudos

Now read this

Dissecting DEloader malware with obfuscation

DEloader is a loader malware which is mostly used to load Zeus banking trojan . It is a stealth malware designed to keep the payload hidden and encrypted in the memory . A payload is dynamically retrieved from a remote https server So... Continue →