Pierluigi Paganini October 15, 2015

A joint effort of law enforcement agencies the US and EU and with the support of private cybersecurity firm aims to disrupt the activities of the Dridex botnet.

Dridex malware is known to be the successor of another malware like Cridex, Feodo, Bugat, etc etc, and uses many techniques with the purpose of stealing users, normally related with personal and financial information, which can be used by crooks to commit fraud.

In recent times, Dridex has been spread through spam campaigns relying on bogus Microsoft Word documents, and the majority of the victim are residents in the Unites States and the United Kingdom.

It has been estimated that losses caused by this malware ascend to $40 million ($10 million in the U.S. and $30 million in the U.K).  The NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

Talking about the Dridex botnet, it’s divided into many sub-botnets, and takes advantage of the peer-to-peer (P2P) network to be able to communicate, so because it’s a botnet and can communicate means that it’s very difficult to take it down.

Security vendors have been working together to try to take down botnets like Dridex with the support of the authorities but it is a hard challenge, and in the case of Dridex they face another issue, Dridy network is like a hybrid, a centralize and decentralize network, because peer list and config file are spread centrally by its backend servers.

“Threat actors created botnets such as Dridex to fill the void left by the takedown of the Gameover Zeus botnet in May 2014 as part of Operation Tovar. Despite a significant overlap in tactics, techniques, and procedures (TTPs), Dridex never rivaled the sophistication, size, and success of Gameover Zeus. This operation took advantage of weaknesses in Dridex’s hybrid P2P architecture to take over the botnet.” reported Dell SecureWorks.

The good news is that FBI announced recently that a 30-year old Dridex administrator, Andrey Ghinkul also known as “Andrei Ghincul” and “Smilex,”, with Modovan nationality was arrested in Cyprus on 28 of August.

Authorities are aiming for extradition to the United States, where Andrey Ghinkul have been charged with nine accusations, where is included:

• criminal conspiracy
• damaging a computer
• unauthorized computer access with intent to defraud
• wire fraud
• bank fraud

Without sure yet, it’s said that Ghinkul was part of a criminal conspiracy, that was focused on stealing bank credentials, that would be used later for transfer money from victims’ accounts to the accounts of money mules.

FBI teamed up with Europol’s European Cybercrime Centre (EC3), UK, Germany and Moldova authorities,  to bring down Dridy bootnet, and the arrest of Ghinkul was the effort of all the group, also private organizations are helping the authorities, Fox-IT, S21sec, Abuse.ch, Spamhaus, the Shadowserver Foundation, and Trend Micro.

About the Author Elsio Pinto

Pierluigi Paganini

(Security Affairs –  Dridex banking Trojan, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]