Bots, Machines, and the Matrix

Executive Summary

In the recent past, a Fidelis Network user reported seeing detections of what appeared to be botnet-related malware. While that customer was protected, we at General Dynamics Fidelis Cybersecurity Solutions decided to take a closer look. The analysis of the malicious code revealed that it appeared to be Andromeda but the delivery infrastructure looked interesting. Further telemetry from our sensors showed that this server in China was also hosting and distributing many other malicious specimens. Analysis of the data revealed a pattern in the filenames. Our analysts used this pattern to discover other systems distributed across the globe serving up various botnet malware, so far assumed to be used in distinct campaigns but clearly related in this case:

  • Andromeda
  • Beta Bot
  • Neutrino Bot
  • NgrBot/DorkBot

Analysis also showed how attackers continue to benefit from the use of globally-distributed hosting providers to perform their malicious activities. Further, the analysis revealed how attackers are hosting and distributing identical copies of the malware from servers in different countries including China, Poland, Russia, and the United States. For the period of time researched in this activity, we observed the following targeted sectors in the US:

  • Manufacturing/Biotechnology & Drugs
  • Professional Services/Engineering
  • Information Technology/Telecommunications
  • Government/State

Note that our footprint is largely in the Enterprise space and it is possible that we’re seeing spillover from wider campaigns. This document uncovers various servers hosting Bots and other related malware, provides a triage analysis of various pieces of malware hosted by these malicious servers, and provides indicators that network defenders can use to protect their networks.

Related on Threat Geek:

Download Full Threat Advisory