A recent threat landscape reportpublished by Fortinet suggests that although the FBI and European law enforcement ended the Andromeda botnet’s reign in late 2017, there are still systems infected with the malware. The firm indicates that the process of cleaning up the infected PCs isn’t progressing at the same pace across regions, as it’s still a large problem in Africa, Asia, and the Middle East.

At its core, Andromeda — or rather Gamarue —  is a platform to deliver a galaxy of malware variants (actually just a mere 80) including ransomware, banking trojans, spam bots, click-fraud malware and more. Between June 2017 and its supposed demise before the start of 2018, Andromeda was on a roll, as it wasdetected and blocked on more than 1 million machineseach month on average.

According to Microsoft, the Andromeda command and control structure spanned 1,214 domains and IP addresses. It also comprised of 464 “distinct” botnets as well as the 80-plus associated malware families. Andromeda was sold on the black market as a “crime kit” that included a bot builder, a command-and-control application, and documentation on how to create a botnet.

What made Andromeda an extremity attractive sell was its modular nature. The kit came with two plug-ins, one of which could turn a PC into a proxy server. For an additional $150, hackers could purchase the keylogger plug-in or grab the Formgetter plug-in for another $250, which captured data submitted through web browsers.

Hackers spread Andromeda through various methods such as social media messages with malicious links, spam email with similar links, trojan downloaders and more. Once it infected a machine, Andromeda contacted a command and control server to become part of a larger network of infected PCs. Once that happened, hackers could do anything with the seized army of machines.

But as the report indicates, getting rid of Andromeda is no simple feat. In Africa alone, Andromeda has the highest prevalence with 25.6 percent followed by the H-worm at 13.8 percent and Ramnit at 10.07 percent. Andromeda tops the charts in Asia followed by Ramnit (9.83 percent) and the H-worm (7.4 percent).

The report suggests that problem with these high percentages is likely tied to the response and remediation capabilities of these countries.

The report also callsthe Smominru botneta “notable addition,” a Monero mining malware targeting Windows-based PCs. It was spread through the EternalBlue exploit, and as a botnet mined around 24 XMR each day. As of this publication, the value of a single XMR was $81, meaning the hackers were generating around $1,944 per day.

Other botnets that are permanent fixtures on the firm’s Threat Landscape Report each month include Gh0st, Pushdo, Necurs, and three others.