1,500 malicious domains sinkholed and one suspect arrested in Belarus

A major botnet thought to have enslaved more than one million computers each month has been dismantled by an international group of cybercrime organizations.

On November 29, the Federal Bureau of Investigation (FBI), in close co-operation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre, the Joint Cybercrime Action Task Force, Eurojust, and private-sector partners, dismantled Andromeda – one of the longest running malware families in existence.

This widely distributed malware created a network of infected computers known as the Andromeda botnet.

Andromeda’s main goal was to distribute other malware families. The botnet – also known as Gamarue – was associated with 80 malware families and, in the last six months, it was detected on or blocked an average of over one million machines every month.

Andromeda was also used in the infamous Avalanche network, which was dismantled in a major international cyber operation in 2016.

Steven Wilson, head of Europol’s European Cybercrime Centre, said: “This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale.”

One year ago, on November 30, 2016, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the US Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust, and global partners, had dismantled Avalanche’s international criminal infrastructure.

This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns.

Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week.

Jointly, the international partners took action against servers and domains, which were used to spread the Andromeda malware. Overall, 1,500 domains of the malicious software were subject to sinkholing.

According to Microsoft, during 48 hours of sinkholing, approximately two million unique Andromeda victim IP addresses from 223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus.

Simultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. According to Europol, the extension of this measure was necessary, as globally 55% of the computer systems originally infected in Avalanche are still infected today.

The operation was coordinated from the command post hosted at Europol’s headquarters, and measures to combat the malicious Andromeda software involved authorities from 16 countries around the world.