Inside the Dridex Malware TakedownIn-Depth Information Sharing Enabled Botnet Disruption, Experts Reveal
See Also: Threat Briefing: Ransomware
But what was crucial to the takedown - and for any such future efforts - was the unprecedented level of collaboration among financial services firms around the world, says Andy Chandler, a senior vice president and business unit general manager for European security vendor Fox-IT, which was one of the private organizations that assisted law enforcement agencies with their related operation.
"The subject matter expertise that banks shared with Fox-IT and law enforcement was refreshing - and critical - for making inroads into the Dridex and Evil Corp infrastructure," Chandler tells Information Security Media Group (see FBI Hacker Hunt Goes 'Wild West').
Evil Corp is the name of the Eastern European criminal syndicate that many security experts believe is behind Dridex - a.k.a Bugat and Cridex - which officials say is responsible for at least $40 million in losses globally, and likely much more. "The Dridex campaign is being run by "a tightly knit group of cybercriminals based primarily in Russia and Moldova," FBI Special Agent Brian Stevens writes in a related affidavit. Evil Corp is also a spin-off of Business Club, which was the group behind Gameover Zeus, Fox-IT says (see Lessons from Gameover Zeus Takedown).
Currently, however, Dridex malware infections and related botnet command-and-control activity are being redirected to sinkholes run by the U.S. FBI and Britain's National Crime Agency, thus disrupting the attackers' ability to infect new PCs, steal people's online banking credentials, or rent out the botnet to anyone who wants to send spam or launch distributed denial-of-service attacks.
As part of the Dridex disruption, the U.S. Department of Justice is also attempting to extradite one of the alleged masterminds, Andrey Ghinkul - a.k.a. Andrei Ghincul, and Smilex - of Moldova, who was arrested on Aug. 28 in Cyprus. He's been charged with helping to develop and administer the Dridex botnet and steal millions of dollars from targets via phishing and malware attacks and wire-transfer fraud.
Unprecedented Information Sharing
While the FBI says it has been investigating Dridex and tracking Ghinkul as part of a "multi-year investigation," Fox-IT's Chandler says that banks' sharing of information - and not just "the same old technical stuff" or empty marketing pronouncements of the need for collaboration and sharing - was crucial to disrupting these attacks (see UK Urges Banks: Share Threat Intel).
"What was really different in this investigation was the collaborative involvement of global banks impacted with Dridex," he says. All told, more than 10 banks - which he declined to name - shared intelligence with each other related to this one botnet, "including going back and forth to get to the bottom of the challenge and then sharing the answers and conclusions with the rest of the community, including phishing mails and relevant data from compromised systems."
The unprecedented level of collaboration was driven in part by rapidly escalating levels of fraud and theft. "Dridex started in the U.K., where we saw the first five- and six-figure fraud [amounts], then it did not take long before Evil Corp moved to mainland Europe and the U.S. As they scaled their footprint, they also increased the amounts they would attempt to steal, and we did see them successfully take seven figures from business accounts," Chandler says. "Currently we see Dridex has been targeting over 25 countries across the globe, including Australia, Belgium, Croatia, Italy and Singapore, to name a few."
More Evil Corp Suspects At Large
The FBI says the Dridex disruption comes after a related multi-year investigation. On Sept. 18, 2014, for example, Stevens says in his affidavit that the FBI learned from security researchers - who had gained access to a Dridex administrative control panel - that "Smilex" was the moniker used by one of the botnet's administrators, and that they traced this nickname to Ghinkul.
The FBI says it suspects that other Evil Corp leaders - who have control over the Dridex botnet - include Moscow-based Maksim Viktorovich Yakubets, a.k.a. "Aqua"; Russia-based Igor Turashev, a.k.a. "nintutu"; as well as two Russia-based men - Maksim Mazilov and Andrey Shkolovoy - who appear to both use the nickname "Caramba."
According to the affidavit, the FBI traced some of the gang's activity thanks to "nintutu" and his use of a Gmail address, after a "pen register" - trace - on an IP address revealed that it was accessed by a specific Gmail address, and also "connected tens of thousands of times to a server hosted in Turkey that was associated with the distribution of Bugat/Dridex."
Botnet Disruption Timeline
But the Dridex investigation went into high gear earlier this year, when the gang unleashed a phishing-attack onslaught against U.K. targets. This led to the NCA in April launching an investigation "to identify components of the Bugat/Dridex peer-to-peer network in the U.K.," Stevens says in his affidavit.
"On or around the weekend of September 4, 2015, the National Crime Agency seized the key components of the C&C system for the Bugat/Dridex botnet that were located in the U.K. Because these servers had been disabled, the super-peers and peers have no centralized mechanism to receive new commands or peer lists," he says. "We assess that the Bugat/Dridex system has been temporarily disabled, but the defendants could re-establish control of the system at any time by registering new C&C servers to issue commands to the botnet."
Will Dridex Return?
As that warning highlights, with suspected Evil Corp members remaining at large, the Dridex botnet disruption is likely to be temporary.
"I believe it will be fairly short-lived," says Ken Westin, a security analyst for security firm Tripwire. "The malware authors will adapt the tools and initiate more attacks. There is just too much money to be made for these groups to be deterred by a single takedown." Likewise, he predicts that new "strains" of the malware - evolving as it is adapted and modified by new groups - will remain "in the wild for quite a while."
"Botnet takedowns are rarely 100 percent effective, and there are likely still plenty of smaller botnets powered by the Dridex malware operating today," says John Wilson, field CTO at security software company Agari. Going forward, he predicts, "we can expect to see evolved versions that will be hardened against the peer-poisoning technique used in the recent takedown."
Such hardening could be accomplished by attackers shifting their operations to using "no questions asked" bulletproof hosting services, says Tom Kellermann, chief cybersecurity officer at threat-intelligence firm Trend Micro. "I believe Evil Corp will be back in operation by month's end, [with] ... bulletproof hosting and the protection-racket state of Eastern Europe facilitating this," he says (see Hacker Havens: The Rise of Bulletproof Hosting Environments).
In the past, furthermore, some takedowns lead to increases in the quantity and technical sophistication of malware being sold on the cybercrime market, says Eward Driehuis, a product director at Fox-IT. "All of the hackers were fighting to have the best malware, after the  takedown of Gameover Zeus - they were trying to differentiate." And there are still "four very popular malware strains attacking banks" (see In Britain, Malware No. 1 Cyberthreat).
Going forward, however, Tripwire's Westin notes that if the level of collaboration between U.S. and U.K. organizations and government agencies can continue, it should enable law enforcement agencies to continue to disrupt cybercrime syndicates, even when they operate from countries that historically have not arrested or extradited suspected cybercriminals (see How Do We Catch Cybercrime Kingpins?).
Raj Samani, who's the chief technology officer for Europe, the Middle East and Africa for Intel Security - which assisted with the Drydex takedown - as well as a cybersecurity adviser to Europol, says that levels of cooperation are already quite high. "We keep saying it every time - 'unprecedented collaboration' - but is it unprecedented, or is it the fact that we are now working together and collaborating, and being hugely successful?"