A single Command and Control server could be responsible for running a botnet using a number of different malware programs to infect users. It appears the cybercriminals are infecting as many machines as possible, and the botnet can be sold or rented to clients - spreading via manipulated Word documents attached to emails.
Security firm G DATA found a fake rail card invoice is one tactic criminals are using to help infect new victims. Instead of being an actual rail card invoice, however, the installed malware builds up a botnet, as criminals are able to remotely hijack infected PCs.
"The malware behaves like a matryoshka doll on the system," said Ralf Benzmuller, head of G DATA SecurityLabs. "It gradually reveals its potential and actual aim. We suspect that the infected systems are intended for use as zombie PCs in the Andromeda/Gamarue botnet."