More than five years after an attempted takedown, Gamarue has survived, often spreading via infected USB drives, an initial access vector that also won’t seem to die.
Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as click fraud.
It might seem unusual that Gamarue continued to be so prevalent in 2022 given that it was disrupted in 2017. However, its presence in our top 10 threats tells us how pervasive worms can be, even years after takedowns of much of their command and control (C2) infrastructure. Although Gamarue isn’t as active as it once was, it isn’t completely gone, and therefore should still be taken seriously, as it may be a sign of poor security hygiene.
New names on the lease
Additionally, there is a risk of other adversaries taking over old Gamarue infrastructure and using it for their own nefarious purposes. Mandiant reported that the Turla Team, tracked under the name UNC4210, did exactly that in 2022—the actors re-registered expired Gamarue domains and used them to profile victims that they later targeted with follow-on malware.
USB threats: Underlooked Security Burdens
With so many threats facing us, USB worms aren’t often the highest priority for many security teams, but they are still worth your attention. While we didn’t see follow-on activity in most Gamarue detections, the fact that we observed Gamarue in so many environments is significant because it tells us that USB worms are still a pervasive infection vector that we need to consider as part of our threat models. Other threats that spread via USB like Raspberry Robin also highlight this threat vector. While we as security practitioners may think “no one uses USB drives anymore,” our analysis shows that’s clearly not the case in many organizations, and we regularly observe infections starting from USB drives.
While detection of Gamarue is possible, ideally, organizations should take action to prevent USB infections altogether. There are multiple mitigation options, and the best one for each organization will depend on business needs for USB drives as well as the capacity for implementing these controls. As always, test these thoroughly before deploying into production:
Investigate if your antivirus software has a feature to scan removable drives during mounting.
Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual command lines that include long filenames with repeating characters and random function names. Here are a couple examples of common command lines we observe:
Here is pseudocode for a detection analytic that would detect these command lines:
process == rundll32
Note: This regular expression looks for a pattern of between 10-70 non-whitespace characters followed by a period followed by 10-70 more non-whitespace characters, followed by a comma, followed by 16 word characters.
Atomic Red Team includes a long list of tests for Rundll32 tradecraft. While none of them perfectly emulate the detection logic described above, security teams can supply a custom DLL file that mimics the seemingly random filenames shown in the above command lines to validate their detection capabilities.
See what it's like to have a security ally.
Experience the difference between a sense of security and actual security.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.