Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2020 was a worm that primarily spread via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as click fraud.
Most Gamarue detections we observed started with a user clicking on a malicious LNK file disguised as a legitimate file on a USB drive. This resulted in execution of the Windows DLL Host (
rundll32.exe) attempting to load a malicious DLL file. In some environments, the malicious DLL didn’t exist, likely because it was removed by antivirus (AV) or an endpoint protection product.
Not dead yet
It might seem unusual that Gamarue was so prevalent in 2020 given that it was disrupted in 2017. However, its presence in our top 10 threats tells us how pervasive worms can be, even years after takedowns of much of their command and control (C2) infrastructure. Although Gamarue isn’t as active as it was, we observed at least one Gamarue C2 domain that appeared to be active at the time of detection in April 2020. This suggests that although Gamarue has been significantly disrupted, it isn’t completely gone, and therefore should still be taken seriously.
With so many threats facing us, USB worms aren’t often the highest priority for many security teams, but they are still worth your attention. While we didn’t see follow-on activity in most Gamarue detections, the fact that we observed Gamarue in so many environments is significant because it tells us that USB worms are still a pervasive infection vector that we need to consider as part of our threat models. While we as security practitioners may think “no one uses USB drives anymore,” our analysis shows that’s clearly not the case in many organizations. Just because we as analysts aren’t excited about USB malware, it doesn’t make it any less pervasive.