Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

Inside the Dridex Malware Takedown

In-Depth Information Sharing Enabled Botnet Disruption, Experts Reveal
Inside the Dridex Malware Takedown

Thanks to an international law enforcement operation, the ultra-virulent Dridex malware and related botnet have been disrupted (see Dridex Malware Campaign Disrupted).

See Also: Close the Gapz in Your Security Strategy

But what was crucial to the takedown - and for any such future efforts - was the unprecedented level of collaboration among financial services firms around the world, says Andy Chandler, a senior vice president and business unit general manager for European security vendor Fox-IT, which was one of the private organizations that assisted law enforcement agencies with their related operation.

"The subject matter expertise that banks shared with Fox-IT and law enforcement was refreshing - and critical - for making inroads into the Dridex and Evil Corp infrastructure," Chandler tells Information Security Media Group (see FBI Hacker Hunt Goes 'Wild West').

Evil Corp is the name of the Eastern European criminal syndicate that many security experts believe is behind Dridex - a.k.a Bugat and Cridex - which officials say is responsible for at least $40 million in losses globally, and likely much more. "The Dridex campaign is being run by "a tightly knit group of cybercriminals based primarily in Russia and Moldova," FBI Special Agent Brian Stevens writes in a related affidavit. Evil Corp is also a spin-off of Business Club, which was the group behind Gameover Zeus, Fox-IT says (see Lessons from Gameover Zeus Takedown).

Currently, however, Dridex malware infections and related botnet command-and-control activity are being redirected to sinkholes run by the U.S. FBI and Britain's National Crime Agency, thus disrupting the attackers' ability to infect new PCs, steal people's online banking credentials, or rent out the botnet to anyone who wants to send spam or launch distributed denial-of-service attacks.

As part of the Dridex disruption, the U.S. Department of Justice is also attempting to extradite one of the alleged masterminds, Andrey Ghinkul - a.k.a. Andrei Ghincul, and Smilex - of Moldova, who was arrested on Aug. 28 in Cyprus. He's been charged with helping to develop and administer the Dridex botnet and steal millions of dollars from targets via phishing and malware attacks and wire-transfer fraud.

Unprecedented Information Sharing

While the FBI says it has been investigating Dridex and tracking Ghinkul as part of a "multi-year investigation," Fox-IT's Chandler says that banks' sharing of information - and not just "the same old technical stuff" or empty marketing pronouncements of the need for collaboration and sharing - was crucial to disrupting these attacks (see UK Urges Banks: Share Threat Intel).

"What was really different in this investigation was the collaborative involvement of global banks impacted with Dridex," he says. All told, more than 10 banks - which he declined to name - shared intelligence with each other related to this one botnet, "including going back and forth to get to the bottom of the challenge and then sharing the answers and conclusions with the rest of the community, including phishing mails and relevant data from compromised systems."

The unprecedented level of collaboration was driven in part by rapidly escalating levels of fraud and theft. "Dridex started in the U.K., where we saw the first five- and six-figure fraud [amounts], then it did not take long before Evil Corp moved to mainland Europe and the U.S. As they scaled their footprint, they also increased the amounts they would attempt to steal, and we did see them successfully take seven figures from business accounts," Chandler says. "Currently we see Dridex has been targeting over 25 countries across the globe, including Australia, Belgium, Croatia, Italy and Singapore, to name a few."

More Evil Corp Suspects At Large

The FBI says the Dridex disruption comes after a related multi-year investigation. On Sept. 18, 2014, for example, Stevens says in his affidavit that the FBI learned from security researchers - who had gained access to a Dridex administrative control panel - that "Smilex" was the moniker used by one of the botnet's administrators, and that they traced this nickname to Ghinkul.

The FBI says it suspects that other Evil Corp leaders - who have control over the Dridex botnet - include Moscow-based Maksim Viktorovich Yakubets, a.k.a. "Aqua"; Russia-based Igor Turashev, a.k.a. "nintutu"; as well as two Russia-based men - Maksim Mazilov and Andrey Shkolovoy - who appear to both use the nickname "Caramba."

According to the affidavit, the FBI traced some of the gang's activity thanks to "nintutu" and his use of a Gmail address, after a "pen register" - trace - on an IP address revealed that it was accessed by a specific Gmail address, and also "connected tens of thousands of times to a server hosted in Turkey that was associated with the distribution of Bugat/Dridex."

Botnet Disruption Timeline

But the Dridex investigation went into high gear earlier this year, when the gang unleashed a phishing-attack onslaught against U.K. targets. This led to the NCA in April launching an investigation "to identify components of the Bugat/Dridex peer-to-peer network in the U.K.," Stevens says in his affidavit.

"On or around the weekend of September 4, 2015, the National Crime Agency seized the key components of the C&C system for the Bugat/Dridex botnet that were located in the U.K. Because these servers had been disabled, the super-peers and peers have no centralized mechanism to receive new commands or peer lists," he says. "We assess that the Bugat/Dridex system has been temporarily disabled, but the defendants could re-establish control of the system at any time by registering new C&C servers to issue commands to the botnet."

Will Dridex Return?

As that warning highlights, with suspected Evil Corp members remaining at large, the Dridex botnet disruption is likely to be temporary.

"I believe it will be fairly short-lived," says Ken Westin, a security analyst for security firm Tripwire. "The malware authors will adapt the tools and initiate more attacks. There is just too much money to be made for these groups to be deterred by a single takedown." Likewise, he predicts that new "strains" of the malware - evolving as it is adapted and modified by new groups - will remain "in the wild for quite a while."

"Botnet takedowns are rarely 100 percent effective, and there are likely still plenty of smaller botnets powered by the Dridex malware operating today," says John Wilson, field CTO at security software company Agari. Going forward, he predicts, "we can expect to see evolved versions that will be hardened against the peer-poisoning technique used in the recent takedown."

Such hardening could be accomplished by attackers shifting their operations to using "no questions asked" bulletproof hosting services, says Tom Kellermann, chief cybersecurity officer at threat-intelligence firm Trend Micro. "I believe Evil Corp will be back in operation by month's end, [with] ... bulletproof hosting and the protection-racket state of Eastern Europe facilitating this," he says (see Hacker Havens: The Rise of Bulletproof Hosting Environments).

In the past, furthermore, some takedowns lead to increases in the quantity and technical sophistication of malware being sold on the cybercrime market, says Eward Driehuis, a product director at Fox-IT. "All of the hackers were fighting to have the best malware, after the [2014] takedown of Gameover Zeus - they were trying to differentiate." And there are still "four very popular malware strains attacking banks" (see In Britain, Malware No. 1 Cyberthreat).

Keep Collaborating

Going forward, however, Tripwire's Westin notes that if the level of collaboration between U.S. and U.K. organizations and government agencies can continue, it should enable law enforcement agencies to continue to disrupt cybercrime syndicates, even when they operate from countries that historically have not arrested or extradited suspected cybercriminals (see How Do We Catch Cybercrime Kingpins?).

Intel Security's Raj Samani discusses why the public and private sectors are driven to improve collaboration.

Raj Samani, who's the chief technology officer for Europe, the Middle East and Africa for Intel Security - which assisted with the Drydex takedown - as well as a cybersecurity adviser to Europol, says that levels of cooperation are already quite high. "We keep saying it every time - 'unprecedented collaboration' - but is it unprecedented, or is it the fact that we are now working together and collaborating, and being hugely successful?"

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.