S1074 ANDROMEDA
ANDROMEDA is commodity malware that was widespread in the early 2010’s and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.1
| Item | Value |
|---|---|
| ID | S1074 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 May 2023 |
| Last Modified | 29 September 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ANDROMEDA has the ability to make GET requests to download files from C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ANDROMEDA can establish persistence by dropping a sample of itself to C:\ProgramData\Local Settings\Temp\mskmde.com and adding a Registry run key to execute every time a user logs on.1 |
| enterprise | T1105 | Ingress Tool Transfer | ANDROMEDA can download additional payloads from C2.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | ANDROMEDA has been installed to C:\Temp\TrustedInstaller.exe to mimic a legitimate Windows installer service.1 |
| enterprise | T1036.008 | Masquerade File Type | ANDROMEDA has been delivered through a LNK file disguised as a folder.1 |
| enterprise | T1055 | Process Injection | ANDROMEDA can inject into the wuauclt.exe process to perform C2 actions.1 |
| enterprise | T1091 | Replication Through Removable Media | ANDROMEDA has been spread via infected USB keys.1 |