G DATA: Nested malware builds up botnet

Share Article

Fake rail card emails try to lure users into malware trap that turns users computers into a botnet.

Macro Dropper

Macro Dropper

The malware behaves like a matryoshka doll on the system. It gradually reveals its potential and actual aim

Experts at German security provider G DATA have discovered a number of malware programs that are aimed at building up a botnet and can be controlled using the same Command and Control Server. The two malware instances that the analysts have investigated by way of an example employ significantly different routes to infection. The security experts believe that this attack was planned by one or more perpetrators, distributing the malware en masse so that the botnet can then be sold or rented. The malware distributes itself via macros in manipulated Word documents that are sent as an email attachment. In some cases the fraudsters send a fake rail card invoice. G DATA security solutions detect the malware and prevent the infection.

"The malware behaves like a matryoshka doll on the system. It gradually reveals its potential and actual aim", explains Ralf Benzmüller, head of G DATA SecurityLabs. "We suspect that the infected systems are intended for use as zombie PCs in the Andromeda/Gamarue botnet."

Rail card email pretends to be an invoice
By disguising the malware as a rail card invoice, the fraudsters are trying to confuse users. Recipients are expected to be motivated to open the attached Word document and activate the macro settings. Once on the computer, the malware tries to disguise what it is doing. Its aim is to build up a botnet. Cyber criminals can then control the infected systems remotely, without the owners being aware.

What is a macro?
Macros are used to automate tasks so that they can be executed with one click. Macros are usually disabled in Office as they can represent a security risk. As this example demonstrates, cyber criminals can exploit this useful function for their nasty purposes and induce users to enable the function. This allows malware to smuggle itself in and infect the system.

Detailed information can be found in the G DATA SecurityBlog:
https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-the-rise-again.html

About G DATA
IT security was invented in Germany: G DATA Software AG is the antivirus pioneer. It was more than 29 years ago that the company, founded in Bochum, developed the first program to combat computer viruses. These days, G DATA is one of the world's leading providers of IT security solutions. G DATA, Inc. is the U.S. Subsidiary located in Atlanta, GA.

For more information about the company and G DATA security solutions, see http://www.gdatasoftware.com

For sales inquiries in North America please contact Contronex, Inc.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Thorsten Urbanski
@g_data_software
Follow >
Follow us on
Visit website