The Nigerian Computer Emergency Response Team (ngCERT) has issued a high-priority cybersecurity alert after the resurgence of a new variant of Andromeda malware targeting Nigerian institutions, including banks and their customers.
The Nigerian internet police, ngCERT says it is taking the proactive move against escalating cyber threats by drawing attention to Andromeda, also referred to as Gamarue, Wauchos, and Andromeda Stealer that has resurfaced despite previous efforts to dismantle the malware Known for its destructive capabilities in 2017.
ngCERT: How new variant of Andromeda malware works
According to ngCERT, the resurgence of Andromeda poses a significant risk to Nigeria’s cybersecurity landscape, with the new variant demonstrating enhanced adaptability and evasion tactics against traditional security measures. The trojan operates as a sophisticated modular botnet, enabling cybercriminals to deploy various malicious functionalities such as keyloggers, rootkits, and remote access tools. Its infiltration methods include phishing emails, drive-by downloads, and malicious links, allowing it to compromise systems and establish backdoors for unauthorised access.
Banks, financial institutions, and other critical sectors, ngCERT says, are prime targets of this latest Andromeda variant. The malware’s ability to steal sensitive data, initiate ransomware attacks, and disrupt operations through DDoS assaults poses severe operational and financial risks. Such attacks can result in financial losses, data breaches, and service disruptions, jeopardising customer trust and regulatory compliance.
Nigerian Computer Emergency Response Team (ngCERT) .
Impact on Banks and Financial Institutions:
Banks, financial institutions, and other critical sectors, ngCERT says, are prime targets of this latest Andromeda variant. The malware’s ability to steal sensitive data, initiate ransomware attacks, and disrupt operations through DDoS assaults poses severe operational and financial risks. Such attacks can result in financial losses, data breaches, and service disruptions, jeopardising customer trust and regulatory compliance.
Potential Consequences of Exploitation:
The exploitation of vulnerabilities by Andromeda poses grave risks to affected systems and organisations, which ngCERT said included:
–Compromise of system integrity
–Unauthorised access to sensitive data
–Theft and loss of critical information
–Complete takeover of systems
–Disruption through ransomware attacks
–Financial losses due to fraudulent activities
–DoS attacks leading to service unavailability
ngCERT urgent recommendations:
In light of the heightened threat from the new Andromeda variant, ngCERT urgently advises the following cybersecurity measures:
Exercise caution with email attachments: Refrain from downloading or opening attachments in emails received from untrusted sources or unexpectedly from trusted users.
Block malicious IP addresses: Implement measures to block malicious external IP addresses and other suspicious IP addresses on your network.
Keep systems updated: Ensure that all assets, including operating systems, applications, antivirus software, and plugins, are promptly updated to mitigate vulnerabilities.
Activate endpoint security features: Enable built-in security features on endpoint devices to scan applications for malware and other threats.
Implement stronger security measures: Consider deploying robust security solutions such as firewalls, intrusion detection/prevention systems (IDPS), anti-phishing tools, and endpoint detection and response (EDR) solutions with anti-malware capabilities.
Enforce strong password policies: Implement and enforce a strong password policy across all systems and regularly update passwords to enhance security.
Minimise attack surfaces: Disable unnecessary services and close open ports on endpoint devices and servers within your agency. Only maintain services and ports essential for daily operations to reduce potential attack vectors.
ngCERT had in May this year issued an alert about Grandoreiro said to be a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), targeting more than 1,500 banks globally, including Nigeria.
The internet police cited reports that the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific.
“Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria. The new version includes significant changes such as string decryption and DGA calculation, allowing at least 12 different C2 domains per day,” ngCERT said.
According to the agency, “Grandoreiro’s attack chain includes obtaining email addresses from affected hosts and delivering more phishing attempts through the Microsoft Outlook client. Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.”
Home