What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.

Figure 1. Initial malspam lure geared towards Italian speakers.

Andromeda malware seems to quickly becoming a malicious actor’s favorite initial downloader which will then grab several other keylogger, infostealer, or RAT families post infection. Jeff Scarborough, a malware researcher at PhishMe, first noticed some odd behavior when one of these second stage samples created a listening service on TCP port 80:

Figure 2. Cuckoo sandbox signature alert for a spawned listening service.

Upon execution, the Fluxer proxybot malware first creates a copy of itself at: “C:Users<USER>AppDataRoaming<Random><Random>.exe”. The sample will then delete itself – a process termed by malware authors as melting. For persistence between reboots, the malware will add a startup registry key at “HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft UpdateService”.

The malware then drops and executes a copy of Nginx, an open source web server, which is configured to be an HTTP proxy for the malicious domain consildertufun[.]xyz. Any requests for this domain requests are then relayed to 103.193.4[.]126. The following Nginx configuration file was observed in the same directory as the copied malware sample with the filename “lv.tmp”:

Figure 3. The Nginx proxy configuration file.

This malware family contains a centralized command and control PHP panel where the botnet administrator can update its configuration and check on the status of the botnet. Whenever the malware checks in with the C2 server, it determines if the bot is on a NAT connection or directly connected to the Internet. If the latter holds true, the infected machine is added and promoted as an active proxy in the botnet.

Figure 4. Plaintext traffic from C2 server informing bot to kill itself.

Figure 5. The Fluxer botnet panel login screen.

Malware C2s

103.193.4[.]126

consildertufun[.]xyz

exefud[.]com

tajjquartet[.]com

jet.bearlakedisposal[.]com

lan.diamonddollsfitness[.]com

art.mastering-the-art-of[.]com

Suricata Alert

SID 2007854 – ET MALWARE User-Agent (Mozilla) – Possible Spyware Related

Malware SHA256sums

83431aaa8d04dece4d0ee79878c6d4ebd86b345d2d20ef24a8ec071fa060d6b3

115f89cc10d61c721b3980c184538873c64d16c9af20f517ec866c04284048c6

a00769fb527d002eef907339265bfb4b7c44df054ba2722700ddd5183c301ffa

d8f5aaef03585a9e79811576aee1e4f3ae5ce14359bf359e93df96b0af99c8bd

7b3f8f3044ee2b5203eebe385a3f4eca971c7004a97b324c3ff8d4cfc82f8f85