Organizations participating in the Andromeda investigation included the Europol European Cybercrime Center, the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, the Joint Cybercrime Action Task Force, Eurojust and private-sector partners.
Additionally, during the operation, law enforcement has arrested a man in Belarus which might be the leader in Andromeda cybercrime gang.
In a separate statement, Europol, quoting Microsoft, said that the Andromeda's "main goal was to distribute other malware families" and that the malware and associated botnet "was associated with 80 malware families and, in the last six months...was detected on or blocked an average of over 1 million machines every month". Linked with 80 malware families, Andromeda has been detected on or blocked on almost 1.1 million machines every month on average over the past six months.
A crime-kit sold on the dark web, Gamarue offer high levels of customisation, allowing the user to build and deploy custom plugins - notable examples of malicious activity distributed using the self-service kit include building plugins to steal content entered into web forms while another allows attackers to control compromised systems. He is also the developer of the Win32/Gamarue HTTP bot, the Windows SMTP Bruter v.1.2.3 and the "Swf-Inj Service" that hijacks web traffic using malware.
Microsoft approached ESET and together they tracked Gamarue's botnets for a year and a half. It took Microsoft and ESET 18 months to identify the command and control communications behind Gamarue and then provide that information to the authorities. However, they did not name the suspect.
"This is another example of worldwide law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale".
"This particular threat has been around for several years now and it is constantly reinventing itself - which can make it hard to monitor".
One of the malware families cited was the Avalanche Network, a botnet network that at one stage was responsible for two-thirds of all phishing attacks globally that brought down following a four-year investigation by global law enforcement agencies in December 2016. From there ESET and Microsoft were able to not only able to track the botnet but also locate the aforementioned servers.
More than 1,500 malicious domains used to control the botnet were subject to sinkholing and all traffic from infected computers were rerouted to less risky sites. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us, ' said Steven Wilson, the Head of Europol's European Cybercrime Centre.
The operation to eliminate the Andromeda botnet also resulted in sinkholing of 1500 domains of the malicious software, as well as the capturing of approximately 2 million unique Andromeda victim IP addresses from 223 countries.