An international law enforcement crackdown against the Dridex botnet has seen one man charged and a coordinated effort to sinkhole thousands of compromised computers, cutting them off from the botnet’s control. The operation, which involved the FBI in the US, the UK National Crime Agency, and a number of other international agencies, may seriously disrupt a cybercrime enterprise which has stolen tens of millions of dollars from victims worldwide.
Potent financial threat
Dridex, which is detected by Symantec as W32.Cridex and also known as Bugat, is a financial threat that adds the infected computer to a botnet and injects itself into the victim’s web browser in order to steal information, including banking credentials.
The malware is usually spread through phishing emails designed to appear to come from legitimate sources in order to lure the victim into opening a malicious attachment. It is also capable of self-replication by copying itself to mapped network drives and attached local storage such as USB keys. As is common with most financial attackers, the Dridex group regularly changed its tactics and most recently has been observed using malicious macros in Microsoft Office documents attached to emails to infect computers.
As reported in Symantec’s State of financial Trojans 2014 whitepaper, Dridex was the third largest financial threat last year, accounting for some 29,000 detections. Nevertheless, this represented a decrease, with the number of infections down 88 percent since 2012.
Recent telemetry suggests that the threat has enjoyed something of a resurgence in activity, with detections beginning to increase again in the past few months.
Figure 1. Dridex detections during 2015
The attackers behind Dridex have targeted a broad range of countries. The largest number of detections in 2015 was in the US. This was followed by Japan and Germany, with significant numbers of infections also seen in the UK, Canada, Australia, and a number of other European countries.
Figure 2. Top ten countries by number of Dridex detections in 2015
Law enforcement swoop
Yesterday’s operation saw a 30-year-old Moldovan man charged by prosecutors in the US for offences including criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud, and bank fraud. His extradition to the US is currently being sought following his arrest in Cyprus in August.
The FBI also obtained an injunction permitting it to start sinkholing Dridex infections by redirecting traffic from infected computers away from command-and-control (C&C) servers to benign substitute servers. This sinkholing operation is also being supported by the UK National Crime Agency.
This is the latest in a series of recent takedowns against major financial fraud cybercrime groups, following earlier operations against Gameover Zeus, Shylock, and Ramnit.
Symantec and Norton products have the following protections against Dridex:
Intrusion Prevention System
- Use a robust security suite, such as Symantec Endpoint Protection or Norton Security, and keep it updated.
- Delete any suspicious-looking emails you receive, especially if they include links or attachments. Don’t even open them, just delete them. If they purport to come from legitimate organizations, verify with the organization in question first.
- Disable macros in Microsoft Office applications to prevent macros from running when documents are opened.
- Using an email security solution should remove the chance of you accidentally opening malicious email and malicious attachments in the first place.
- If you suspect Dridex infection, immediately change your online banking account passwords using a different computer and contact your bank to alert it to any fraudulent transactions taking place. Do the same for any account that you may have accessed using your infected computer.