I was able to acquire logs during one of my investigations which illustrate how Andromeda is sold to the buyers and how to acquire the panel. It's sold through using an automated system, commands available to the buyer is shown below:
|Available commands for buyers|
Admin panelThe panel comes in a password protected RAR-archive which holds:
Starting from the top with adm.php it is packed:
After unpacking and formatting it ends up with a layer of string obfuscation as shown in the extract:
|Unpacked code with obfuscated strings|
|Function for decoding strings|
Using that same function together with some PHP "preg_match-magic" the code ends up much more readable.
PHP Code Injection (requires credentials)One function that stood out in the code was SaveSettings:
|SaveSettings to config (note: syntax is somewhat off)|
|Writing PHP code to config|
|Executing commands through config.php|
|Code for adding tasks to database|
Command Enumeration (requires RC4 key)Having established two vulnerabilities in the admin panel, the same type of code (obfuscation and naming convention) is also found in the gate (gate.php). Since Andromeda doesn't have the ability to upload files it ain't possible to remotely upload files, such as with the ZeuS remote update vulnerability.
However, it is however possible to communicate with the panel to retrieve commands and submit data in the form of keylogs and grabbed forms. The key can be acquired through debugging (out of scope in this post).
|Code for parsing data from POST-request|
The response is encrypted using the bot id as key.
If the wrong key is used to encrypt the data or the data is malformed, the panel will return HTTP 404 response.
Python makes it easy to automate all of this to enumerate commands from an existing server [script]:
|Script for enumerating commands from panel|
Uploading keylogs and formgrabs can be done by appending fg: or kl: followed by base64-encoded logs to the above format. Each grabbed form and each keylog is delimited by 0x01, the values in each log are delimited by 0x02 (for example user-agent, cookie and URL for forms grabbed).
|Code for parsing uploaded logs|
\x01<keylog>\x02<process caption>\x02<process name>\x01
The data posted does however not execute in the panel as it gets escaped on output. But it does enable for leaving a message to the actor(s) running the panel.
ConclusionThe vulnerabilities might very well exist in more places but vulnerabilities specified does however enable for example researches to battle malware and malware campaigns.
By enumerating commands from the panel, it's possible to track the actors steps by downloading the malware and plugins that the bot is intended to download.
It's also possible to leave a message in the form of keylogs and formgrabs to let the actor(s) know that they are under the observation.