Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Gamarue Dropping Lethic Bot

June 11, 2015 - 3 min read
The Gamarue (aka Andromeda) botnet is a highly modular botnet family that allows attackers to take complete control of an infected system and perform a range of malicious activity by downloading additional payloads. In this blog, we will cover a recent Gamarue infection that we looked at, which downloads and installs the Lethic bot on an infected system.
The Lethic botnet has been known to be involved in pharmaceutical and replica spam since it's inception as was detailed by Arbor Networks here. Neither of these botnets are new and have both survived takedown attempts by authorities. The Gamarue infection in our case was leading to the download of Lethic bot from the following URLs: 
Lethic Bot URLs
(MD5: F909BE6B96C10E36F3C5B9E676F49C7E)
During our analysis, we noticed that the Gamarue and Lethic payloads involved in this infection were both packaged using the same custom packer. Below is the comparison of the code snippet from the packer routine:
Quick Analysis of Lethic bot 

The payload first checks the current running path. If the path does not contain “RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771”, it will create a new folder in “C:\RECYCLER” with a name of “S-1-5-21-0243556031-888888379-781862338-1861771” and then drops a copy of itself with the name “gBvhieXlS1.exe”. It also changes the attributes of the file to make it a system and hidden file.
Creating Path For Dropping File
It then creates “Run” and “RunOnce” registry keys with “fBvhieXlS1” as key name.
  • HKEYCURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce”
RunOnce Key Created
Remote Process Injection
Depending on the system CPU architecture, it utilizes one of these two methods to inject itself into explorer.exe:
  • For a 32-bit CPU architecture, it attempts to get the handle to the existing explorer.exe process and injects a malware module into it. It executes the injected code by calling “CreateRemoteThread” and terminates itself.
  • For a 64-bit CPU architecture, it creates a new explorer.exe process in suspended mode and then injects the malicious code into it. It follows this method if the processor architecture is x64 (AMD or Intel) or Intel Itanium-based. 
The following screenshot shows the instructions that the payload uses to identify the correct path to the explorer.exe file, taking into account both 32-bit and 64-bit versions of the Windows Operating System:
Function to get the path of explorer.exe
Network communication
The Lethic bot connects to a predetermined Command and Control (C&C) server at on port 9900. We noticed several connection failures before a successful connection attempt to the C&C server. We believe that this is the malware author's attempt to evade automated analysis systems. Shown below is a snapshot of the network communication:
Command from C&C server
Lethic bot uses the infected machine as a SMTP proxy as evident in the network communication below:
SMTP proxy traffic
Gamarue & Lethic malware families have both survived takedown attempts and continue to be active in the wild. ThreatlabZ is actively monitoring these two malware families and ensuring coverage for our customers.
Analysis by:  Amandeep Kumar and Nirmal Singh
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.