AnMaXX, Gerber EDV and the Qrypter Connection

Published on 9th April 2018, 10:03:17 UTC

In August 2017, I've blogged about Adwind, a cross-platform RAT written in Java that is also known as "jRAT" and "JSocket". The main infection vector for Adwind is via spoofed email. The attacker doesn't have to care about the recipients operating system (OS): Adwind works on Windows, macOS and Linux.

Recently, security researchers and AV vendors have published a handful interesting blog posts on Adwind. The recent uprise in Adwind campaigns seems to be related to Qrypter: a Malware-as-a-Service (MaaS) platform @Angelill0 blogged about in December 2017. The Qrypter MaaS platform is hosted in the Tor network, which makes it more resilient against takedowns and actions from law enforcement (LEA). However, the botnet controllers itself are hosted in the clear net. The following map shows the top Adwind C&C hosting countries in the past 6 months. In this period I've spotted almost 10'000 Adwind samples calling out to more than 2'800 distinct botnet controllers (C&Cs). Most of these Adwind samples are related to the Qrypter MaaS.

Looking at the top Adwind botnet C&C hosting countries, we can see that they are mostly hosted in the United States (US), followed by Netherlands (NL) and Great Britain (GB):

Adwind botnet C&C geo location

In my blog post on Adwind in August 2017, I've mentioned AnMaXX. AnMaXX was (and still is) one of the networks which is hostings a vast majority of the Adwind C&Cs. However, it's not just AnMaXX. A few days after I've published my Adwind blogpost I've came across another network called Gerber EDV-Dienstleistungen (aka During my investigation, the network quickly raised my attention: Gerber EDV has, just like AnMaXX, no web site:

Screenshot of
Screenshot of

Screenshot of
Screenshot of

But not just that raised my suspicion. The fact that both, Gerber EDV and AnMaXX are hosted on the same IP address and even use the same mailserver (MX) doesn't make the situation any better:	A	A

;			IN	A


;		IN	A


Is it possible that Gerber EDV is operated by the same guys as AnMaXX? It indeed seems so. The said IP address is also hosting another domain name:

Taking a closer look at the netranges of Gerber associated with Qrypter reveals that they have one thing in common: They are all labeled with "Gerber non logging VPN Service". So it appears that Gerber sells VPN services, but I'm wondering how Gerber EDV advertises and sells their VPN services as their domain name doesn't host any website (uh?). As Gerber EDV-Dienstleistungen has their offices in Switzerland, I decided to vist them and ask them where all this abuse related to Adwind / Qrypter is coming from.

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
netname:        Gerber_non-logging_VPN_service
country:        CH
admin-c:        JG8768-RIPE
tech-c:         JG8768-RIPE
org:            ORG-GE100-RIPE
abuse-c:        GE2550-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-DA327
created:        2017-11-14T13:09:30Z
last-modified:  2017-11-15T08:57:40Z
source:         RIPE

organisation:   ORG-GE100-RIPE
org-name:       Gerber EDV-Dienstleistungen
org-type:       OTHER
remarks:        ****************************************************
remarks:        Spamhaus, please note:
remarks:        For further information please contact:
remarks: or
remarks:        Thank you.
remarks:        ****************************************************
address:        Junkerngasse 44, 3011 Bern, Switzerland
abuse-c:        GE2550-RIPE
mnt-ref:        GERBER-MNT
mnt-ref:        MNT-DA327
mnt-by:         GERBER-MNT
mnt-by:         MNT-DA327
created:        2017-11-04T22:44:21Z
last-modified:  2017-11-09T11:29:29Z
source:         RIPE # Filtered

After a 1 1/2 hours train ride, I finally arrived in Bern. Gerber has their offices at Junkerngasse 44, which is in walking distance from the train station. So I decided to take a short walk:

Office of Gerber EDV-Dienstleistungen on Google Maps
Office of Gerber EDV-Dienstleistungen on Google Maps

After a 10 minutes walk I arrived at Junkerngasse 44 where Gerber supposes to have their office. It is a nice building in the old town of Bern. Actually, not a cheap place for renting an office. Will I find Gerber EDV here? I started having doubts...

Junkerngasse, Bern (Switzerland)
Building of Gerber EDV-Dienstleistungen

Number 44. That must be it. But checking the sign at the front reveals: There is no Gerber EDV in this building. A quick cross check on the phone book proofs what I just saw: No Gerber EDV at this address:

Phone book search for Junkerngasse 44
Phone book search for Junkerngasse 44

As it might be possible that Gerber EDV moved their offices to a different location and forgot to update their RIPE record accordingly (actually, that's something I am confronted with very often: outdated RIPE records), I decided to have a quick look at the Central Business Name Index (Zefix) of the Federal Office of Justice. However, there is no registered company under that name in Switzerland:

Search for Gerber EDV in the Central Business Name Index of the Federal Office of Justice
Search for Gerber EDV in the Central Business Name Index of the Federal Office of Justice


Gerber (as well as AnMaXX) seems to be all fake. It is obviouse that both are operated by the same guys. There is no Gerber EDV-Dienstleistungen at Junkerngasse 44 in Bern and not even a registered company with that name in Switzerland. The sole purpose of Gerber and AnMaXX seems to be providing botnet hosting to Qrypter MaaS and other RATs such as NanoCore and RemcosRAT. I've also learned that RIPE requires that the information provided in the RIPE objects is correct. However, RIPE does not verify the provided information at all. I've submitted a complaint to RIPE regarding the incorrect information provided by Gerber EDV in the hope that RIPE can force them to reveal their real location (if there is any).

If you are a network- or sysadmin, I highly recommend you to block any incoming and outgoing traffic towards the follow prefixes that are owned / maintained by either Gerber EDV, AnMaXX or		AS9070		AS9070		AS51395		AS205406		AS57695		AS57695		AS205406		AS8473		AS6830		AS6775		AS34304		AS9125		AS12389		AS34547		AS50841		AS200995		AS56630		AS51395		AS57944		AS34989		AS24961		AS50113		AS49981		AS31103		AS62240		AS56630		AS56630		AS197155		AS197155		AS197155		AS197155		AS197155		AS197155		AS42160		AS6775

In addition, I've seen the following netranges involved in massive Adwind botnet C&C hosting too, but couldn't map them to Gerber EDV or AnMaXX. I recommend you to block them as well on your network perimeter:	AS8100	AS36351		AS35017		AS37692		AS32489		AS60781		AS60781		AS32181		AS36666		AS29278		AS199267		AS396362

The mentioned networks are not just used to host Adwind / Qrypter C&Cs, they also host plenty of other botnet controllers associated with dozens of different RATs and malware families, such as RemcosRAT, NanoCore and many more. If you want to convince yourself, you may want to take a look at the following list of 5'000+ botnet C&Cs I've seen in the past years being hosted in these networks:

More information about Qrypter MaaS can be found here:

Blog Archive