threat

Gamarue

Gamarue is a worm that primarily spreads via USB drives. Despite its command and control (C2) infrastructure being disrupted in 2017, Gamarue keeps worming its way through many environments.

Pairs with this song

#10

OVERALL RANK

5%

CUSTOMERS AFFECTED

Analysis

Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2020 was a worm that primarily spread via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as click fraud.

Most Gamarue detections we observed started with a user clicking on a malicious LNK file disguised as a legitimate file on a USB drive. This resulted in execution of the Windows DLL Host (rundll32.exe) attempting to load a malicious DLL file. In some environments, the malicious DLL didn’t exist, likely because it was removed by antivirus (AV) or an endpoint protection product.

Not dead yet

It might seem unusual that Gamarue was so prevalent in 2020 given that it was disrupted in 2017. However, its presence in our top 10 threats tells us how pervasive worms can be, even years after takedowns of much of their command and control (C2) infrastructure. Although Gamarue isn’t as active as it was, we observed at least one Gamarue C2 domain that appeared to be active at the time of detection in April 2020. This suggests that although Gamarue has been significantly disrupted, it isn’t completely gone, and therefore should still be taken seriously.

With so many threats facing us, USB worms aren’t often the highest priority for many security teams, but they are still worth your attention. While we didn’t see follow-on activity in most Gamarue detections, the fact that we observed Gamarue in so many environments is significant because it tells us that USB worms are still a pervasive infection vector that we need to consider as part of our threat models. While we as security practitioners may think “no one uses USB drives anymore,” our analysis shows that’s clearly not the case in many organizations. Just because we as analysts aren’t excited about USB malware, it doesn’t make it any less pervasive.

Detection opportunities

Detection opportunity 1

Special characters in rundll32 command line
ATT&CK technique(s): T1218.011 Signed Binary Proxy Execution: Rundll32
ATT&CK tactic(s): Defense Evasion, Execution

Details: The main detection analytic that helped us catch so much Gamarue was based on what we noticed about how Gamarue executed rundll32.exe. As we examined multiple Gamarue detections over time, we noticed that their rundll32.exe command lines consistently used the same number of characters in a repeatable pattern—25 characters followed by a period followed by 25 additional characters, then a comma and 16 more characters. For example:

We translated this into a regular expression, simplified as: \[25 ASCII characters].[25 ASCII characters],[16 ASCII characters]

Detecting a process of rundll32.exe combined with this regular expression looking for multiple special characters in the process command line helped us catch Gamarue. This detection analytic is a good example of how intelligence analysts can use observations about commonalities in threats over time to create useful analytics:

  1. Hey, we see that same pattern with a whole bunch of underscores a lot…what is that?
  2. Oh cool, that looks like Gamarue.
  3. It keeps doing the same thing. Let’s make an analytic for that!

Detection opportunity 2

Windows Installer (msiexec.exe) external network connections
ATT&CK technique(s): T1218.007 Signed Binary Proxy Execution: Msiexec, T1055.012 Process Injection: Process Hollowing
ATT&CK tactic(s): Defense Evasion, Command and Control

Details: We observed Gamarue injecting into the signed Windows Installer msiexec.exe, which subsequently connected to C2 domains. Adversaries commonly use msiexec.exe to proxy the execution of malicious code through a trusted process. We detected Gamarue by looking for msiexec.exe without a command line making external network connections. Though many Gamarue C2 servers were disrupted in 2017, we found that some domains were active in 2020, like the one in the following example (4nbizac8[.]ru):

We could just detect the domain, but as we know, adversaries like to change those up (Pyramid of Pain, anyone?), so we found this analytic to be more durable. You’ll have to tune out any legitimate network connections that msiexec.exe makes from your network, since every environment is different. If you aren’t excited about detecting Gamarue, don’t worry—this same detection analytic also helped us catch other threats such as Zloader throughout 2020.

Bonus forensic analysis opportunity

ROT13 registry modifications
ATT&CK technique(s): T1112 Modify Registry
ATT&CK tactic(s): Defense Evasion/Execution

Details: While this isn’t a detection opportunity, we wanted to share a tip for how we identify the source LNK that executed Gamarue in many of our detections. We observed that the parent process of rundll32.exe (often explorer.exe) usually creates a registry value in the UserAssist subkey. UserAssist tracks applications that were executed by a user and encodes data using the ROT13 cipher. Because Gamarue is often installed by a user clicking an LNK file, if you’re trying to figure out the source of Gamarue, check out the registry key HKEY_USERS\{SID}\Software\​Microsoft\Windows\CurrentVersion​\Explorer\UserAssist for any registry modifications ending in .yax.yax is the ROT13 encoded value of .lnk. While this won’t be a good detection opportunity on its own, it could be helpful to look for this registry value if you’re responding to a Gamarue incident to figure out where it came from and clean the USB drive.

Katie Nickels
DIRECTOR OF INTELLIGENCE
Katie has worked in Security Operations Centers and cyber threat intelligence for nearly a decade, hailing from a liberal arts background with degrees from Smith College and Georgetown University. Prior to joining Red Canary, Katie was the ATT&CK Threat Intelligence Lead at The MITRE Corporation, where she focused on applying cyber threat intelligence to ATT&CK and sharing why that’s useful. She is also a SANS instructor and has shared her CTI and ATT&CK expertise with presentations at many conferences as well as through Twitter, blog posts, and podcasts.
Katie has worked in Security Operations Centers and cyber threat intelligence for nearly a decade, hailing from a liberal arts background with degrees from Smith College and Georgetown University. Prior to joining Red Canary, Katie was the ATT&CK Threat Intelligence Lead at The MITRE Corporation, where she focused on applying cyber threat intelligence to ATT&CK and sharing why that’s useful. She is also a SANS instructor and has shared her CTI and ATT&CK expertise with presentations at many conferences as well as through Twitter, blog posts, and podcasts.