What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.
Figure 1. Initial malspam lure geared towards Italian speakers.
Andromeda malware seems to quickly becoming a malicious actor’s favorite initial downloader which will then grab several other keylogger, infostealer, or RAT families post infection. Jeff Scarborough, a malware researcher at PhishMe, first noticed some odd behavior when one of these second stage samples created a listening service on TCP port 80:
Figure 2. Cuckoo sandbox signature alert for a spawned listening service.
Upon execution, the Fluxer proxybot malware first creates a copy of itself at: “C:\Users\<USER>\AppData\Roaming\<Random>\<Random>.exe”. The sample will then delete itself – a process termed by malware authors as melting. For persistence between reboots, the malware will add a startup registry key at “HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update\Service”.
The malware then drops and executes a copy of Nginx, an open source web server, which is configured to be an HTTP proxy for the malicious domain consildertufun[.]xyz. Any requests for this domain requests are then relayed to 103.193.4[.]126. The following Nginx configuration file was observed in the same directory as the copied malware sample with the filename “lv.tmp”:
Figure 3. The Nginx proxy configuration file.
This malware family contains a centralized command and control PHP panel where the botnet administrator can update its configuration and check on the status of the botnet. Whenever the malware checks in with the C2 server, it determines if the bot is on a NAT connection or directly connected to the Internet. If the latter holds true, the infected machine is added and promoted as an active proxy in the botnet.
Figure 4. Plaintext traffic from C2 server informing bot to kill itself.
Figure 5. The Fluxer botnet panel login screen.
SID 2007854 – ET MALWARE User-Agent (Mozilla) – Possible Spyware Related