Anti-Malware , Cybersecurity , Technology

Dridex Malware Campaign Disrupted

$40 Million Botnet Disrupted, Suspect Arrested in Cyprus
Dridex Malware Campaign Disrupted

An international law enforcement operation - spearheaded by the U.S. Federal Bureau of Investigation and Britain's National Crime Agency - has disrupted the notorious Dridex banking malware, which has been tied to at least $40 million in losses worldwide. The U.S. Department of Justice also reports that a suspected Dridex ringleader has been arrested in Cyprus and that it is seeking his extradition.

See Also: Managing Identity, Security and Device Compliance in an IT World

The Dridex malware, which is also known as Bugat and Cridex, can spread using peer-to-peer techniques and is designed to steal online banking credentials. Officials have said the malware has been used to steal more than £20 million (U.S. $31 million) from victims in the United Kingdom and $10 million in the United States, although British officials note that estimates are "conservative."

"This is a particularly virulent form of malware, and we have been working with our international law enforcement partners, as well as key partners from the industry, to mitigate the damage it causes," says Mike Hulett, head of operations at the NCA's National Cyber Crime Unit. "Our investigation is ongoing and we expect further arrests to be made."

The NCA notes that Dridex was developed by "technically skilled cybercriminals in Eastern Europe to harvest online banking details" and that "global financial institutions and a variety of different payment systems have been particularly targeted." Earlier this year, Britain's computer emergency response team, CERT-UK, warned that while Dridex was known to be prolific, it was having difficulty tracking related infections.

Now, however, law enforcement agencies say they have seized the command-and-control servers being used by the gang and are actively disrupting the malware. "The National Crime Agency is conducting activity to 'sinkhole' the malware, stopping infected computers - known as a botnet - from communicating with the cybercriminals controlling them," the NCA says. "This activity is in conjunction with a U.S. sinkhole, currently being undertaken by the FBI."

"Through a technical disruption and criminal indictment we have struck a blow to one of the most pernicious malware threats in the world," says U.S. Attorney David Hickton.

Multifunctional Malware

Alan Woodward, a University of Surrey computer science professor and cybersecurity adviser to Europol, says the takedown effort was driven, in part, by a recent surge in Dridex phishing attacks - and malware infections - in Britain. "It's very virulent, it spreads very easily and it's quite difficult to detect in network traffic because it uses a peer-to-peer network, as well as having its own command-and-control network," he says. Beyond stealing banking credentials, attackers "can then turn your machine into part of a botnet and hire it out for DDoS attacks to other people," as well as to serve as spam relays.

The malware can spread in a number of ways, including using "obfuscated macros in Microsoft Office and extensible markup language files to infect systems," US-CERT warns in Oct. 13 alert (see Banking Malware Taps Macros). "The primary goal of Dridex is to infect computers, steal credentials, and obtain money from victims' bank accounts."

Dridex is derived from Cridex, which is based on the Gameover Zeus malware (see Malware's Stinging Little Secret). "Dridex is an evolution of an increasingly sophisticated family of malware focused on stealing banking credentials," says Ken Westin, a senior security analyst with security firm Tripwire, in a blog post. While the malware emerged in 2011, "this particular strain of the bank credential stealing malware was first seen a year ago and has quickly become increasingly sophisticated."

Moldovan Man Indicted

Officials say their Dridex investigation has led to one significant arrest so far, of Andrey Ghinkul - a.k.a. Andrei Ghincul, and Smilex - of Moldova, an Eastern European country and former Soviet republic. Ghinkul, 30, was arrested on Aug. 28 in Cyprus; the United States is seeking his extradition (see How Do We Catch Cybercrime Kingpins?). News of his arrest - although not his name - came to light in September.

In a nine-count U.S. federal grand jury indictment dated Sept. 16 and unsealed Oct. 13, Ghinkul and unnamed co-conspirators have been charged with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud. According to the indictment, Ghinkul and others attempted to initiate a wire transfer for $999,000 from Pennsylvania's Sharon City School District's account at First National Bank to an account located in Kiev, Ukraine, which was controlled by the gang's money mules.

The group has also been accused of an August 2012 transfer of $2.2 million from a Delmont, Penn.-based Penneco Oil account at First Commonwealth Bank to an account located in Russia, followed by a September 2012 transfer of $1.3 million from a Penneco Oil account to a bank account in Belarus. "The company's account information was allegedly obtained through a phishing email sent to a Penneco Oil employee," according to the Department of Justice.

To date, however, it's not clear exactly who all has been involved in Dridex attacks. "We think it's an Eastern European gang," Woodward says, noting law enforcement agencies suspect that the gang members may be part of the criminal group known as Evil Corp. "It's certainly some sort of organized gang like that, that appears to be behind it. Trying to get to the gang is going to be quite difficult, he adds, although notes that related efforts remain underway.

International Takedown

The international Dridex disruption operation was spearheaded by the FBI and NCA, but included assistance from Europol's EC3 and JCAT, Britain's GCHQ intelligence agency, London police, CERT-UK, the BKA federal police in Germany, Moldovan authorities, as well as a range of private sector organizations, including Dell SecureWorks, Fox-IT, S21sec,, the Shadowserver Foundation and Spamhaus.

"Cybercriminals often reach across international borders, but this operation demonstrates our determination to shut them down no matter where they are," says FBI Executive Assistant Director Robert Anderson. "The criminal charges announced today would not have been possible without the cooperation of our partners in international law enforcement and private sector."

If past botnet disruptions are any guide, however, the gang behind Dridex will soon retool their malware to evade the law enforcement agencies' sinkhole operations. Indeed, just three months after the June 2014 Gameover Zeus botnet disruption, security experts were warning that the malware had been updated and that related attacks were ramping up (see Gameover Zeus Trojan Continues Resurgence).

Woodward says sinkholing is a temporary measure. "Although it mitigates the problem, it cannot go on forever." The NCA estimates that there may be thousands of Dridex-infected systems in Britain alone, the majority of which are Windows users, and Woodward says it's imperative that people eliminate it from their computers while the sinkholes hold. "To protect themselves, people can do all the usual mother and apple pies, including keeping your anti-virus up to date, because all of the anti-virus will detect it."

To help, the NCA has also set up the CyberStreetWise and GetSafeOnline websites, while the FBI has created a Dridex information site, all of which include removal instructions.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network