Security researchers with Dell SecureWorks Counter Threat Unit (CTU) have teamed with the FBI, the U.K. National Crime Agency (NCA) and the Shadowserver Foundation to take over the Dridex botnet. Authorities have linked the botnet to an estimated £20m (roughly $30.5 million US) in losses in the U.K., and at least $10 million in losses in the United States.
However, the CTU predicts the losses are higher as Dridex botnet operators and their affiliates have targeted customers of countless financial institutions – both large and small – (banks, credit card companies and popular online payment services) in 27 different countries located across North America, Europe, Middle East, Asia and the South Pacific (including Australia and New Zealand). Dridex infections are especially significant in the United Kingdom, U.S. and France.
The Dridex Banking Trojan (known by the CTU as Bugat v5) has infected tens of thousands of computers worldwide and targets financial credentials, certificates, cookies and other information from the computer systems of users with the goal of committing Automated Clearing House (ACH) transactions and wire fraud. ACH is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches.
The CTU research team first investigated the Dridex Banking Trojan in July 2014. They found that Dridex was built using the source code of another banking Trojan known as Bugat (also referred to as Cridex). Despite this, Dridex is distinct from other Bugat variants due to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to obfuscate its backend infrastructure and make takedown attempts more difficult. The Dridex P2P network is a hybrid between a centralised and decentralised network, with peer lists and configuration files distributed by the backend servers rather than exchanged directly between peers. Binary updates and modules are exchange autonomously between peers in the network, which reduces some of the load on the backend.
The Dridex banking malware is distributed through spam emails utilising various lures. In the past, some of the spam email attachments exploited vulnerabilities. More recently however, the Dridex attackers have used Microsoft Word macros (a function in Word which provides for a series of commands and instructions, grouped together as a single command, to accomplish a task automatically). After the target opens the Word document, the macro attempts to download and execute the Dridex loader, which in turn installs the other botnet components. There are four main components of the Dridex Banking Trojan:
Loader — downloads the core module and an initial node list to join the P2P network
Core module — performs the malware’s core functions (harvesting credentials, performing man-in-the-browser attacks using web injects, downloading the VNC and backconnect modules, etc.)
VNC module — allows the attacker to remotely view and control a victim’s computer. This is a standard tool used by many banking trojans because it allows the attacker to use a victim’s computer to connect to a financial institution’s website. Certainly using the same IP address, web browser and cookies as the legitimate user makes the fraudulent activities harder to detect.
Backconnect module — allows the attacker to tunnel network traffic through a victim’s computer
The threat group, which developed the Dridex Banking Trojan source code and controls the botnet, is believed to be out of Eastern Europe. Similar to the Peer to Peer Gameover Zeus Botnet (which the CTU assisted Law Enforcement in taking down in May 2014) and to the Gozi Neverquest Botnet , the Dridex Botnet operates an affiliate model. Thus, the Dridex Botnet is partitioned into sub-botnets, and each affiliate is given access to its own subset of bots. The CTU has observed 13 Dridex sub-botnets.
The CTU began tracking Dridex in July 2014 and to date has captured 359 unique configuration files, with 414 active web inject targets, for the botnet. The web injects used by Dridex vary depending on the targets of the particular sub-botnet, and some of the web injects are region specific.
In collaboration with the NCA, the FBI, and the Shadowserver Foundation, CTU researchers developed and executed a technical strategy to take over the Dridex botnet by poisoning each sub-botnet’s P2P network and redirecting infected systems to a sinkhole. Essentially, this ensured that all the infected computers of the Dridex botnet are no longer under the control of the Dridex operators and their affiliates. Thus, they cannot continue to compromise their information and control their computer.
“The takedown of the Gameover Zeus botnet in June2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions,” Brett Stone-Gross of Dell SecureWorks’ Counter Threat Unit explained.
“To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and both Dridex and Dyre, indicating previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities. However, neither Dridex or Dyre have been able to rival the sophistication, size, and success of Gameover Zeus.”