Andromeda Gamarue Botnet Gets An Update

Recently I saw some spam emails exploiting an adobe PDF vulnerability ( thanks to Conrad Longmore ( https://twitter.com/ConradLongmore) )

upload.jpg

This PDF file seems to be exploiting CVE-2013-2729 vulnerability. The shellcode is small and simple . It just downloads the file from a server and executes it .

upload.jpg

After unpacking the file , analysis reveal that this is a new update for Andromeda - Gamarue botnet . The version is upgraded to 2.9 . Although there is no significant change in the Botnet , the version number from the request string has been removed

upload.jpg

upload.jpg

Raashid Bhat

http://twitter.com/raashidbhatt

 
32
Kudos
 
32
Kudos

Now read this

A taste of our own medicine : How SmokeLoader is deceiving configuration extraction by using binary code as bait

A taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary code as bait Recently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring under... Continue →