Rundll32 with Suspicious Command Line

The Anvilogic Forge has identified multiple occurrences of Andromeda-like malware (aka. b66 and Gamarue) across various customer environments. Andromeda malware is known for its modular nature, used as a downloader and facilitating further malicious activities such as keylogging, credential theft, and additional payload downloads. Andromeda often propagates using USB drives.  

Forge Detection: The malware obfuscates malicious activity by using odd string patterns involving dashes, underscores, and obfuscated arguments to conceal the execution of rundll32.exe. Some examples include:

• "C:\Windows\system32\rundll32.exe"  \_----______--_-_-_---__---_----_-__---___-_____---_-__._----______--_-_-_---__---_----_-__---___-_____---_-__,wmSMWWOemsikSACk
• "C:\windows\system32\rundll32.exe" \-----_---__-_----_--___--_-_-_-----_--_--_.{AF3EF12F-8F49-4631-9E2E-A58BFD361FFA},FTdrtldZRNJB733j

Detecting unusual patterns like these is essential because these obfuscated strings are designed to evade standard security controls, making it harder to identify malicious behavior.

We have observed increased prevalence of this persistence mechanism this year and more recently in late August and early this month.