Microsoft® Windows OS
Advisory ID:
June 6, 2024


ngCERT is aware of the resurgence of Andromeda malware, also known as Gamarue, Wauchos, and Andromeda Stealer, which is a dangerous Trojan horse with multiple malicious capabilities. This malware has been used by threat actors to create a network of infected computers, known as Andromeda Botnet, which can be used to launch further attacks by distributing other malwares such as ransomwares, banking Trojans, Distributed Denial of Service (DDos), spam bot and backdoor. Despite the takedown of the Andromeda botnet by US and Europe law enforcement agencies in 2017, new variants have been detected, infecting systems worldwide, including Nigeria. ngCERT advises individuals and organisations to take immediate steps to protect their systems and data from Andromeda and other malware threats.

Description & Consequence

The Andromeda malware is a modular bot that can be modified by using plugins for keyloggers, rootkits, TeamViewers, and spreaders, to expand its attack chain and reach. The malware can infect systems through various methods, such as spear phishing emails, drive-by-downloads, infected cracks or keygens, removable drives, as well as clicking on malicious links. The malware can perform various functions, such as using anti-virtual machine and anti-debugging techniques, creating botnets, working as a backdoor, and stealing sensitive information. The malware can also receive commands from its control server for downloading and executing files, performing remote shells, or uninstalling itself from the system.

Successful exploitation of the vulnerabilities could lead to:

  1. System compromise.
  2. Unauthorised access to sensitive data.
  3. Loss and theft of sensitive data.
  4. System takeover.
  5. Ransomware attacks.
  6. Financial loss.
  7. DDos attacks.


ngCERT recommends the following:

  • Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
  • Block the malicious external IP addresses and other malicious IP addresses on your network.
  • Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
  • Activate built-in security features on endpoint devices which scan applications for malware.
  • Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection and response solution including anti-malware software.
  • Enforce a strong password policy, implement regular password changes.
  • Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.



Related Articles