Gamarue
Years after a major disruption, Gamarue is still worming around, often spreading dangerous payloads.
#9
overall rank
2.4%
customers affected
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue we observe most frequently is a worm that spreads primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as click fraud.
It might seem unusual that Gamarue continues to be so prevalent given that it was disrupted in 2017. In 2024 it was in our top 10 eight times in 12 months, with the most activity in January and June. Its presence in our top 10 threats tells us how pervasive worms can be, even years after takedowns of much of their command and control (C2) infrastructure. As of December 2024 there is some evidence tof new C2 infrastructure associated with recent Gamarue binaries. It’s worth noting that it does not appear to have made any significant behavioral changes.
Gamarue’s continued presence in our top 10 threats tells us how pervasive worms can be, even years after takedowns of much of their infrastructure.
USB threats: Underlooked Security Burdens
With so many threats facing us, USB worms aren’t often the highest priority for many security teams, but they are still worth your attention. While we didn’t see follow-on activity in most Gamarue detections, the fact that we observed Gamarue in so many environments is significant because it tells us that USB worms are still a pervasive infection vector that we need to consider as part of our threat models. Other threats that spread via USB like Tangerine Turkey and Raspberry Robin also highlight this threat vector. While we as security practitioners may think “no one uses USB drives anymore,” our analysis shows that some organizations, particularly those utilizing OT systems, have legacy processes involving USBs that are more difficult to change. Additionally, there is a risk of other adversaries taking over old Gamarue infrastructure and using it for their own nefarious purposes.
While detection of Gamarue is possible, ideally, organizations should take action to prevent USB infections altogether. There are multiple mitigation options, and the best one for each organization will depend on business needs for USB drives as well as the capacity for implementing these controls. As always, test these thoroughly before deploying into production:
- Manage Removable Storage Access Control using group policy to restrict read, write, and/or execute actions from USB devices.
- Enable the Windows attack surface reduction (ASR) rule to block untrusted and unsigned processes that run from USB devices.
- Disable AutoPlay on Windows to prevent automatic execution of files from USB devices.
- Investigate if your antivirus software has a feature to scan removable drives during mounting.
Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual command lines that include long filenames with repeating characters and random function names. Here are a couple examples of common command lines we observe:
rundll32.exe \aceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaccec.aceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaceaccec,IgADoIcwBkEYaMgE
rundll32.exe \----__--_-_--___---__---___-___--__---_-_____-_-----_--.----__--_-_--___---__---___-___--__---_-_____-_-----_--,L1yJvXAtVNnT5pV8
Here is pseudocode for a detection analytic that would detect these command lines:
process == rundll32
&&
deobfuscated_command_includes ('/\S{10,70}\.\S{10,70},\w{16}/')*Note: This regular expression looks for a pattern of between 10-70 non-whitespace characters followed by a period followed by 10-70 more non-whitespace characters, followed by a comma, followed by 16 word characters.
Start testing your defenses against Gamarue using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
Atomic Red Team includes a long list of tests for Rundll32 tradecraft. While none of them perfectly emulate the detection logic described above, security teams can supply a custom DLL file that mimics the seemingly random filenames shown in the above command lines to validate their detection capabilities.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.