NF – Known Gamarue alias Andromeda BotNet – Unknown sinkhole owner
This alert is triggered when a device within the internal network attempts to establish a TCP connection with IP address 104.238.158.106, which is associated with the Gamarue (also known as Andromeda) botnet. This botnet is known for distributing malware and engaging in malicious activities.
ID Number
5025288
Signature
alert tcp $HOME_NET any -> 104.238.158.106 any (msg:"NF - Known Gamarue alias Andromeda BotNet - Unknown sinkhole owner"; flow:to_server,established; detection_filter:track by_dst, count 2, seconds 5; reference:url,networkforensic.dk; metadata:05122017; classtype:trojan-activity; sid:5025288; rev:2;)
Severity
High
Recommendations/Investigative actions
Block communication to the botnet IP.
Identify the device attempting the connection and run a comprehensive malware scan on the device to check for Gamarue/Andromeda or other potential infections.