Curiosity killed the cat

Ever found a USB stick laying around and wondered what’s on it? We get it, it’s tempting to insert the USB stick into your computer and sniff around a little. Even when you have the best intentions and want to find out who it belongs to, it’s a dangerous game to play.

What is Gamarue?

Gamarue is a malware family used as part of a botnet. It is intrusive software designed to damage and destroy your computer and computer system. When you string together multiple infected endpoints, you get a botnet. Those infected machines in a botnet are controlled by the hacker via a command-and-control server.

In the underground cybercrime market, Gamarue is also known as Wauchos or Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can easily purchase.

Back in 2017, Microsoft was able to disrupt the malware family with the help of law enforcement agencies. Before that, it was quickly spreading across the globe, infecting over a million endpoints every month. Despite its takedown however, it is still going strong in 2023. Redcanary ranked Gamarue the 4^th most important threat in January 2023.

Curiosity killed the cat

An employee at one of our customers found a USB stick laying around and inserted it into their computer to find out who it belonged to. The USB contained the Gamarue malware as a worm variant. A worm is a type of virus that replicates itself over the network. It infects numerous vulnerable systems and executes malicious instructions without user interaction.

Unfortunately, the worm was deliberately disguised to look like a legitimate file, tricking the employee into clicking on the file. A malicious DLL file tries to download onto the computer. If successfully downloaded, it will inject itself into the signed Windows installer to connect over the internet. This way, the hacker can remotely manage the compromised machine, and for example, run distributed denial of service (DDOS) attacks to disable entire networks, or drop other malware onto the system.

The good news is…

Execution of the malware was blocked at the early stage. As soon as Cortex XDR saw that the malware tried to run a suspicious DLL, it prevented the DLL from running. Even though the name was a pretty straight-forward way to recognize the malware, it’s still smart. Because each DLL used by Gamarue is different, the file hash was not known.

The malware report from WildFire did mention that the ImpHash (import hash) matches a family of known malwares. This import hash could then be traced back to a type of worm which is delivered via USB sticks. Once identified as Gamarue, it was clear that the worm would have attempted to make connections to a C2 server, where the DLL is not blocked by the endpoint protection on that host.

Spotit recommended to the customer to track down the USB stick and to reformat it in order to wipe the malware from the media.

How to protect yourself against Gamarue and other malware?

• Disable the ‘USB Autorun’ feature. It wouldn’t prevent an attack like this, but it’s still best practice. Simply open the Windows settings and search for AutoPlay. Your IT team can even do this as a group policy in Windows, disabling this feature on all Windows devices in the organization.
• User awareness. Spread it around like a mantra. Don’t use USB sticks if they do not belong to you and you don’t know what’s on them. Discover our security awareness trainings here.
• Cortex XDR. Run an XDR on your hosts to detect and prevent these type of malware attacks.
• Spotit SOC. Our managed SOC monitors your environment 24/7 and acts before any damage can be done.